New submission from Christian Heimes:
The httplib module / package can read arbitrary amounts of data from its socket
when it's parsing the HTTP header. This may lead to issues when a user connects
to a broken HTTP server or something that isn't a HTTP at all. The issue can be
broken up into two parts: parsing the HTTP status line parsing and parsing the
remaining HTTP headers.
Reading and parsing of the HTTP status line is already limited in Python 3.x.
Python 2.7 and lower may read arbitrary amounts of bytes from the socket until
it finds a newline char. The small patch below is a backport of the Python 3.x
behavior to 2.7:
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -362,7 +362,9 @@
def _read_status(self):
# Initialize with Simple-Response defaults
- line = self.fp.readline()
+ line = self.fp.readline(_MAXLINE + 1)
+ if len(line) > _MAXLINE:
+ raise LineTooLong("header line")
if self.debuglevel > 0:
print "reply:", repr(line)
if not line:
Both Python 2 and Python 3 accept an unlimited count of HTTP headers with a
maximum length of 64k each. As headers are accumulated in an list it may
consume lots of memory. I suggest that we limit the maximum amount of HTTP
header lines to a sane value. How does 100 sound to you?
----------
components: Library (Lib)
messages: 171240
nosy: christian.heimes
priority: normal
severity: normal
status: open
title: httplib: header parsing is not delimited
type: resource usage
versions: Python 2.7, Python 3.2, Python 3.3
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue16037>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
