bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org>
author: Gen Xu <xgbarry@gmail.com> 2021-05-05 22:42:41 (GMT)
committer: GitHub <noreply@github.com> 2021-05-05 22:42:41 (GMT)
commit: 47895e31b6f626bc6ce47d175fe9d43c1098909d (patch)
tree: 2240921e2bb4cdbfd9b59ad04984fd67e25598c3 /Misc/NEWS.d/next/Security
parent: da5c808fb50d34bc2e180d9481706072f33025da (diff)
download: cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.zip
cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.tar.gz
cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
new file mode 100644
index 0000000..cf6b63e
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
@@ -0,0 +1,2 @@
+mod:`http.client` now avoids infinitely reading potential HTTP headers after a
+``100 Continue`` status response from the server.
author	Gen Xu <xgbarry@gmail.com>	2021-05-05 22:42:41 (GMT)
committer	GitHub <noreply@github.com>	2021-05-05 22:42:41 (GMT)
commit	47895e31b6f626bc6ce47d175fe9d43c1098909d (patch)
tree	2240921e2bb4cdbfd9b59ad04984fd67e25598c3 /Misc/NEWS.d/next/Security
parent	da5c808fb50d34bc2e180d9481706072f33025da (diff)
download	cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.zip cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.tar.gz cpython-47895e31b6f626bc6ce47d175fe9d43c1098909d.tar.bz2