Commit cdabc372 authored by Senthil Kumaran's avatar Senthil Kumaran

Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes.

parent c9cdd0cc
...@@ -113,6 +113,11 @@ class IntegrationTests(TestCase): ...@@ -113,6 +113,11 @@ class IntegrationTests(TestCase):
out, err = run_amock() out, err = run_amock()
self.check_hello(out) self.check_hello(out)
def test_request_length(self):
out, err = run_amock(data="GET " + ("x" * 65537) + " HTTP/1.0\n\n")
self.assertEqual(out.splitlines()[0],
"HTTP/1.0 414 Request-URI Too Long")
def test_validated_hello(self): def test_validated_hello(self):
out, err = run_amock(validator(hello_app)) out, err = run_amock(validator(hello_app))
# the middleware doesn't support len(), so content-length isn't there # the middleware doesn't support len(), so content-length isn't there
......
...@@ -113,7 +113,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler): ...@@ -113,7 +113,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler):
def handle(self): def handle(self):
"""Handle a single HTTP request""" """Handle a single HTTP request"""
self.raw_requestline = self.rfile.readline() self.raw_requestline = self.rfile.readline(65537)
if len(self.raw_requestline) > 65536:
self.requestline = ''
self.request_version = ''
self.command = ''
self.send_error(414)
return
if not self.parse_request(): # An error code has been sent, just exit if not self.parse_request(): # An error code has been sent, just exit
return return
......
...@@ -268,6 +268,7 @@ Denver Coneybeare ...@@ -268,6 +268,7 @@ Denver Coneybeare
Phil Connell Phil Connell
Juan José Conti Juan José Conti
Matt Conway Matt Conway
Devin Cook
David M. Cooke David M. Cooke
Jason R. Coombs Jason R. Coombs
Garrett Cooper Garrett Cooper
......
...@@ -21,6 +21,10 @@ Core and Builtins ...@@ -21,6 +21,10 @@ Core and Builtins
Library Library
------- -------
- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
65536 bytes and send a 414 error code for higher lengths. Patch contributed
by Devin Cook.
- Lax cookie parsing in http.cookies could be a security issue when combined - Lax cookie parsing in http.cookies could be a security issue when combined
with non-standard cookie handling in some Web browsers. Reported by with non-standard cookie handling in some Web browsers. Reported by
Sergey Bobrov. Sergey Bobrov.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment