Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes.

Lib/test/test_wsgiref.py

@@ -113,6 +113,11 @@ class IntegrationTests(TestCase):
         out, err = run_amock()
         self.check_hello(out)
 
+    def test_request_length(self):
+        out, err = run_amock(data="GET " + ("x" * 65537) + " HTTP/1.0\n\n")
+        self.assertEqual(out.splitlines()[0],
+                         "HTTP/1.0 414 Request-URI Too Long")
+
     def test_validated_hello(self):
         out, err = run_amock(validator(hello_app))
         # the middleware doesn't support len(), so content-length isn't there

Lib/wsgiref/simple_server.py

@@ -113,7 +113,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler):
     def handle(self):
         """Handle a single HTTP request"""
 
-        self.raw_requestline = self.rfile.readline()
+        self.raw_requestline = self.rfile.readline(65537)
+        if len(self.raw_requestline) > 65536:
+            self.requestline = ''
+            self.request_version = ''
+            self.command = ''
+            self.send_error(414)
+            return
+
         if not self.parse_request(): # An error code has been sent, just exit
             return
 

Misc/ACKS

@@ -268,6 +268,7 @@ Denver Coneybeare
 Phil Connell
 Juan José Conti
 Matt Conway
+Devin Cook
 David M. Cooke
 Jason R. Coombs
 Garrett Cooper

Misc/NEWS

@@ -21,6 +21,10 @@ Core and Builtins
 
 Library
 -------
+- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
+  65536 bytes and send a 414 error code for higher lengths. Patch contributed
+  by Devin Cook.
+
 - Lax cookie parsing in http.cookies could be a security issue when combined
   with non-standard cookie handling in some Web browsers.  Reported by
   Sergey Bobrov.