From c492437922d82b21972a31184af24d15ec23eba8 Mon Sep 17 00:00:00 2001
From: Antoine Pitrou <solipsis@pitrou.net>
Date: Thu, 16 Dec 2010 16:48:36 +0000
Subject: Issue #10714: Limit length of incoming request in http.server to
 65536 bytes for security reasons.  Initial patch by Ross Lagerwall.

---
 Lib/http/server.py           | 8 +++++++-
 Lib/test/test_httpservers.py | 6 ++++++
 Misc/ACKS                    | 1 +
 Misc/NEWS                    | 3 +++
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Lib/http/server.py b/Lib/http/server.py
index 2140710..f1538f4 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -358,7 +358,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):
 
         """
         try:
-            self.raw_requestline = self.rfile.readline()
+            self.raw_requestline = self.rfile.readline(65537)
+            if len(self.raw_requestline) > 65536:
+                self.requestline = ''
+                self.request_version = ''
+                self.command = ''
+                self.send_error(414)
+                return
             if not self.raw_requestline:
                 self.close_connection = 1
                 return
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index b03637c..85b5ec4 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -566,6 +566,12 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
         self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
         self.handler = usual_handler        # Restore to avoid breaking any subsequent tests.
 
+    def test_request_length(self):
+        # Issue #10714: huge request lines are discarded, to avoid Denial
+        # of Service attacks.
+        result = self.send_typical_request(b'GET ' + b'x' * 65537)
+        self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
+        self.assertFalse(self.handler.get_called)
 
 class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
     """ Test url parsing """
diff --git a/Misc/ACKS b/Misc/ACKS
index 29afd59..eaf98a3 100644
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -476,6 +476,7 @@ Andrej Krpic
 Ivan Krstić
 Andrew Kuchling
 Vladimir Kushnir
+Ross Lagerwall
 Cameron Laird
 Jean-Baptiste "Jiba" Lamy
 Torsten Landschoff
diff --git a/Misc/NEWS b/Misc/NEWS
index aa6f350..d171e16 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -20,6 +20,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #10714: Limit length of incoming request in http.server to 65536 bytes
+  for security reasons.  Initial patch by Ross Lagerwall.
+
 - Issue #9558: Fix distutils.command.build_ext with VS 8.0.
 
 - Issue #10667: Fast path for collections.Counter().
-- 
cgit v0.12