[issue42432] Http client, Bad Status Line triggered for no reason
New submission from sicarius noidea :
Hey,
BadStatusLine triggered when protocol version is in lowercase.
I've encountered a server that answers "Http/1.0 404 Not Found\r\n" instead of
"HTTP/1.0 404 Not Found\r\n"
## Expected Result
Requests understanding the status line.
## Actual Result
Requests is closing the connection.
## Reproduction Steps
### Setup a server that answers the line above
bash: ```while 1;do echo "Http/1.0 404 Not Found\r\n" | sudo nc -lnvp 80;
done```
### get the server
```python
import requests
req = req = requests.get("http://127.0.0.1/";, verify=False, allow_redir=False )
```
## problem location
Look at line 287 of http/client.py
the word "HTTP" should be matched in lowercase too.
```python
if not version.startswith("HTTP/"):```
Regards.
--
components: Library (Lib)
messages: 381606
nosy: sicarius.ctf
priority: normal
severity: normal
status: open
title: Http client, Bad Status Line triggered for no reason
type: behavior
versions: Python 3.9
___
Python tracker
<https://bugs.python.org/issue42432>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue42432] Http client, Bad Status Line triggered for no reason
sicarius noidea added the comment: Hi, Here I'm using requests to show the behavior because it relies on python's http lib, and it is faster/simplier to use. The Exception "BadStatusLine" is a part or the http/client.py library. As per the RFC2616 section 6.1 https://tools.ietf.org/html/rfc2616#section-6.1, there's nothing specifying that the HTTP verb must be uppercase, I think it's more a matter of "common sense". I might have missed something though! -- ___ Python tracker <https://bugs.python.org/issue42432> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue42432] Http client, Bad Status Line triggered for no reason
sicarius noidea added the comment:
Here is the poc for this error with http.client only (for the server: use the
same nc command as my first message): ```python
import http.client
>>> h1 = http.client.HTTPConnection("127.0.0.1:80")
>>> h1.request("GET", "/")
>>> r1 = h1.getresponse()
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python3.8/http/client.py", line 1347, in getresponse
response.begin()
File "/usr/lib/python3.8/http/client.py", line 307, in begin
version, status, reason = self._read_status()
File "/usr/lib/python3.8/http/client.py", line 289, in _read_status
raise BadStatusLine(line)
http.client.BadStatusLine: Http/1.0 404 Not Found
```
--
___
Python tracker
<https://bugs.python.org/issue42432>
___
___
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue42432] Http client, Bad Status Line triggered for no reason
sicarius noidea added the comment: Hi @christian.heimes, Thank you for your research too. We've also discovered that this check is correct, but this check is very strict and blocking (error raised, stopping the connection), we should maybe be more "laxist" and allow the lowercase version ? As they do in the others libs ? I've nerver encountered this error with urllib for instance. The server that answered this HTTP response line is a clone of the "spip" framework used in many websites. This is clearly a human behavior, but this http.client error could be a bit more "intelligent" I guess. -- ___ Python tracker <https://bugs.python.org/issue42432> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue42432] Http client, Bad Status Line triggered for no reason
sicarius noidea added the comment: Alright, that was a bad idea. -- resolution: -> rejected stage: -> resolved status: open -> closed ___ Python tracker <https://bugs.python.org/issue42432> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
