Issue #10714: Limit length of incoming request in http.server to 65536 bytes

for security reasons. Initial patch by Ross Lagerwall.

Issue #10714: Limit length of incoming request in http.server to 65536 bytes
for security reasons. Initial patch by Ross Lagerwall.
c4924379 · Antoine Pitrou · 12de8ac2 · c4924379 · c4924379 · c4924379
Kaydet (Commit) c4924379 authored Ara 16, 2010 tarafından Antoine Pitrou
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletion

server.py Lib/http/server.py +7 -1

test_httpservers.py Lib/test/test_httpservers.py +6 -0

ACKS Misc/ACKS +1 -0

NEWS Misc/NEWS +3 -0

No files found.
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -358,7 +358,13 @@ class BaseHTTPRequestHandler(socketserver.StreamRequestHandler):

        """
        try:
-            self.raw_requestline = self.rfile.readline()
+            self.raw_requestline = self.rfile.readline(65537)
+            if len(self.raw_requestline) > 65536:
+                self.requestline = ''
+                self.request_version = ''
+                self.command = ''
+                self.send_error(414)
+                return
            if not self.raw_requestline:
                self.close_connection = 1
                return

--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -566,6 +566,12 @@ class BaseHTTPRequestHandlerTestCase(unittest.TestCase):
        self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
        self.handler = usual_handler        # Restore to avoid breaking any subsequent tests.

+    def test_request_length(self):
+        # Issue #10714: huge request lines are discarded, to avoid Denial
+        # of Service attacks.
+        result = self.send_typical_request(b'GET ' + b'x' * 65537)
+        self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
+        self.assertFalse(self.handler.get_called)

 class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
    """ Test url parsing """

--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -476,6 +476,7 @@ Andrej Krpic
 Ivan Krstić
 Andrew Kuchling
 Vladimir Kushnir
+Ross Lagerwall
 Cameron Laird
 Jean-Baptiste "Jiba" Lamy
 Torsten Landschoff

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -20,6 +20,9 @@ Core and Builtins
 Library
 -------

+- Issue #10714: Limit length of incoming request in http.server to 65536 bytes
+  for security reasons.  Initial patch by Ross Lagerwall.
+
 - Issue #9558: Fix distutils.command.build_ext with VS 8.0.

 - Issue #10667: Fast path for collections.Counter().