Commit d2f4fc9b authored by Vincent Pelletier's avatar Vincent Pelletier

wsgi: Raise TooLarge even when Content-Length is not provided.

Prevent the (very unlikely at a 10MB given the manipulated data structures)
risk of a partial read accidentally containing producing a well-formed
Also, only accept base-10 content lengths.
parent 0b871b56
Pipeline #13757 passed with stage
in 0 seconds
......@@ -2241,6 +2241,12 @@ class CaucaseTest(unittest.TestCase):
'wsgi.input': BytesIO(),
})[0], 413)
'PATH_INFO': '/cau/crt/renew',
'CONTENT_TYPE': 'application/json',
'wsgi.input': BytesIO(b'"' + b'a' * (wsgi.MAX_BODY_LENGTH + 1)),
})[0], 413)
'PATH_INFO': '/cau/crt/renew',
......@@ -652,8 +652,14 @@ class Application(object):
Raises TooLarge if Content-Length if over MAX_BODY_LENGTH.
If Content-Length is not set, reads at most MAX_BODY_LENGTH bytes.
content_length = environ.get('CONTENT_LENGTH')
if not content_length:
result = environ['wsgi.input'].read(MAX_BODY_LENGTH)
if environ['wsgi.input'].read(1):
raise TooLarge(b'Content-Length limit exceeded')
return result
length = int(environ.get('CONTENT_LENGTH') or MAX_BODY_LENGTH)
length = int(content_length, 10)
except ValueError:
raise BadRequest(b'Invalid Content-Length')
if length > MAX_BODY_LENGTH:
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment