bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) (#25933)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d) Co-authored-by: Gen Xu <xgbarry@gmail.com>
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> 2021-05-06 08:52:26 (GMT)
committer: GitHub <noreply@github.com> 2021-05-06 08:52:26 (GMT)
commit: f396864ddfe914531b5856d7bf852808ebfc01ae (patch)
tree: fff3db1375c321dc0eadf85ee6a0a893542dacc2 /Misc
parent: 515a7bc4e13645d0945b46a8e1d9102b918cd407 (diff)
download: cpython-f396864ddfe914531b5856d7bf852808ebfc01ae.zip
cpython-f396864ddfe914531b5856d7bf852808ebfc01ae.tar.gz
cpython-f396864ddfe914531b5856d7bf852808ebfc01ae.tar.bz2
1 files changed, 2 insertions, 0 deletions
diff --git a/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
new file mode 100644
index 0000000..cf6b63e
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
@@ -0,0 +1,2 @@
+mod:`http.client` now avoids infinitely reading potential HTTP headers after a
+``100 Continue`` status response from the server.
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	2021-05-06 08:52:26 (GMT)
committer	GitHub <noreply@github.com>	2021-05-06 08:52:26 (GMT)
commit	f396864ddfe914531b5856d7bf852808ebfc01ae (patch)
tree	fff3db1375c321dc0eadf85ee6a0a893542dacc2 /Misc
parent	515a7bc4e13645d0945b46a8e1d9102b918cd407 (diff)
download	cpython-f396864ddfe914531b5856d7bf852808ebfc01ae.zip cpython-f396864ddfe914531b5856d7bf852808ebfc01ae.tar.gz cpython-f396864ddfe914531b5856d7bf852808ebfc01ae.tar.bz2