[issue16083] HTTPServer does not correctly handle bad headers

2012-10-14 Thread Michele Orrù
Michele Orrù added the comment: Well, it is a security issue IMO, but not particularly harmful. But certainly that's not a RFC violation, since I'm not sending rfc-compliant packets.[0] The best an attacker could do is to DDoS the server running HTTPServer: tracebacks may open file descripto

[issue16083] HTTPServer does not correctly handle bad headers

2012-10-14 Thread Antoine Pitrou
Changes by Antoine Pitrou : -- nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.pyt

[issue16083] HTTPServer does not correctly handle bad headers

2012-10-14 Thread Terry J. Reedy
Terry J. Reedy added the comment: Is this really a security issue? If so, that should be explained. -- nosy: +terry.reedy ___ Python tracker ___ _

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Michele Orrù
Michele Orrù added the comment: Attaching tests that asserts the issue, and a patch for http.server. Works on tip. Should be ported also to 2.x? Note: that 'f = None' is unnecessary, maybe an isolated commit for that? -- keywords: +patch Added file: http://bugs.python.org/file27336/iss

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Michele Orrù
Changes by Michele Orrù : Added file: http://bugs.python.org/file27337/issue16083.patch ___ Python tracker ___ ___ Python-bugs-list mailing li

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread R. David Murray
R. David Murray added the comment: There has been some discussion about what the correct behavior of os.stat is, as well, I think. Alex Gaynor raised a question about testing our behavior when nulls are present. But clearly, if the desired behavior for url processing is different from the ac

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Michele Orrù
Michele Orrù added the comment: Note: on python3, the error is File "/[...]/cpython/Lib/genericpath.py", line 41, in isdir st = os.stat(s) TypeError: embedded NUL character (same exception but different message.) I don't know where to start fixing, because the documentation for os.stat sa

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Michele Orrù
Changes by Michele Orrù : -- nosy: -exarkun ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Michele Orrù
Changes by Michele Orrù : -- nosy: +exarkun ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Christian Heimes
Changes by Christian Heimes : -- nosy: +christian.heimes ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http:/

[issue16083] HTTPServer does not correctly handle bad headers

2012-09-28 Thread Michele Orrù
New submission from Michele Orrù: Sending a "GET /\0" causes a TypeEror to be raised and the connection to be unexpectedly closed. $ python -m SimpleHTTPServer 8000 $ printf "GET /\00" | nc localhost 8000 TypeError: must be encoded string without NULL bytes, not str --