msg171240 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2012-09-25 10:25 |
The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all. The issue can be broken up into two parts: parsing the HTTP status line parsing and parsing the remaining HTTP headers.
Reading and parsing of the HTTP status line is already limited in Python 3.x. Python 2.7 and lower may read arbitrary amounts of bytes from the socket until it finds a newline char. The small patch below is a backport of the Python 3.x behavior to 2.7:
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -362,7 +362,9 @@
def _read_status(self):
# Initialize with Simple-Response defaults
- line = self.fp.readline()
+ line = self.fp.readline(_MAXLINE + 1)
+ if len(line) > _MAXLINE:
+ raise LineTooLong("header line")
if self.debuglevel > 0:
print "reply:", repr(line)
if not line:
Both Python 2 and Python 3 accept an unlimited count of HTTP headers with a maximum length of 64k each. As headers are accumulated in an list it may consume lots of memory. I suggest that we limit the maximum amount of HTTP header lines to a sane value. How does 100 sound to you?
|
msg171250 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2012-09-25 11:29 |
New changeset 8a22a2804a66 by Christian Heimes in branch '2.7':
Issue #16037: Limit httplib's _read_status() function to work around broken
http://hg.python.org/cpython/rev/8a22a2804a66
|
msg171251 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2012-09-25 11:31 |
The readline() limitation in _read_status() was added at some point in the 3.2 line. Python 3.1 has an unlimited readline().
|
msg171258 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2012-09-25 12:30 |
100 headers sounds more than enough for everybody.
|
msg182194 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2013-02-15 23:58 |
CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib
|
msg182803 - (view) |
Author: Jyrki Pulliainen (nailor) * |
Date: 2013-02-23 19:45 |
Here's a patch that limits the headers to 100. If more than _MAXHEADERS headers are read, this raises exception TooMuchHeaders.
The patch is for 2.7, I'll cook one for 3.2 too.
|
msg182805 - (view) |
Author: Jyrki Pulliainen (nailor) * |
Date: 2013-02-23 19:52 |
...and here's the patch for 3.2
|
msg185055 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2013-03-23 14:45 |
Not blocking 2.7.4 as discussed on mailing list.
|
msg187276 - (view) |
Author: Mark Lawrence (BreamoreBoy) * |
Date: 2013-04-18 18:08 |
Patches LGTM but I suggest TooManyHeaders instead of TooMuchHeaders. I've tried the 3.2 patch against the latest default repo on Windows Vista and it applies cleanly. All tests passed so looks as if this could be committed.
|
msg196862 - (view) |
Author: Barry A. Warsaw (barry) * |
Date: 2013-09-03 18:35 |
blocker for 2.6.9
|
msg196898 - (view) |
Author: Jyrki Pulliainen (nailor) * |
Date: 2013-09-04 10:19 |
Reworded TooMuch to TooMany and made a patch for 2.6 too (2.7 didn't apply cleanly there)
|
msg198610 - (view) |
Author: Barry A. Warsaw (barry) * |
Date: 2013-09-29 17:24 |
As we discussed in other issues regarding the similar problem, I don't really want to introduce a new exception in a point release of 2.6. Is there any reason not to just raise HTTPException with the error message text? Code that has to work across multiple 2.6.X versions won't be able to import the new exception, and thus cannot rely on it anyway.
If you agree, I'll make that change when I apply this patch.
|
msg198618 - (view) |
Author: Jyrki Pulliainen (nailor) * |
Date: 2013-09-29 17:55 |
I'm fine with not introducing a new exception for 2.6 (or any other version for that matter), so go for it :)
|
msg198619 - (view) |
Author: Barry A. Warsaw (barry) * |
Date: 2013-09-29 17:58 |
I'm just going to go ahead and commit this patch to 2.6 with the change I mentioned. Does anything else need to be done for 2.6?
|
msg198620 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2013-09-29 18:01 |
New changeset 582e5072ff89 by Barry Warsaw in branch '2.6':
- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
http://hg.python.org/cpython/rev/582e5072ff89
|
msg198621 - (view) |
Author: Barry A. Warsaw (barry) * |
Date: 2013-09-29 18:02 |
Thanks!
|
msg200349 - (view) |
Author: Larry Hastings (larry) * |
Date: 2013-10-19 01:22 |
Ping. Please fix before "beta 1".
|
msg201162 - (view) |
Author: Jyrki Pulliainen (nailor) * |
Date: 2013-10-24 18:47 |
Patch for py32 applies cleanly on 3.4 too, this should be good to go
|
msg201255 - (view) |
Author: Jyrki Pulliainen (nailor) * |
Date: 2013-10-25 16:39 |
Third version of the 3.2 patch, this time with documentation of the exception TooManyHeaders
|
msg201424 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2013-10-27 06:39 |
New changeset e445d02e5306 by Georg Brandl in branch '3.3':
Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
http://hg.python.org/cpython/rev/e445d02e5306
|
msg201429 - (view) |
Author: Georg Brandl (georg.brandl) * |
Date: 2013-10-27 06:45 |
Also merged to default.
|
msg213240 - (view) |
Author: Cory Benfield (Lukasa) * |
Date: 2014-03-12 10:25 |
I presume Barry's disinclination to merge this to 2.6 with a new exception applies equally to 2.7, which is why this hasn't been merged to 2.7 yet?
I'm happy to review an updated 2.7 patch that raises an HTTPException if that's what we need to keep this moving.
|
msg222210 - (view) |
Author: Mark Lawrence (BreamoreBoy) * |
Date: 2014-07-03 20:19 |
Is any further work needed on this and similar issues #16038, #16040, #16041, #16042 and #16043 ?
|
msg224568 - (view) |
Author: Daniel Eriksson (puppet) * |
Date: 2014-08-02 14:00 |
Updated the patch for 2.7 to raise HTTPException instead of a new Exception.
|
msg224802 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2014-08-05 04:15 |
New changeset 5e310c6a8520 by Berker Peksag in branch '2.7':
Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
http://hg.python.org/cpython/rev/5e310c6a8520
|
msg224803 - (view) |
Author: Berker Peksag (berker.peksag) * |
Date: 2014-08-05 04:16 |
Thanks for the patches Jyrki and Daniel.
|
msg226078 - (view) |
Author: Terry J. Reedy (terry.reedy) * |
Date: 2014-08-29 20:43 |
Looking further, already fixed in 3.x
|
msg226079 - (view) |
Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * |
Date: 2014-08-29 20:48 |
Python 3.2 still receives security fixes.
|
msg226110 - (view) |
Author: Terry J. Reedy (terry.reedy) * |
Date: 2014-08-29 23:56 |
This was never discussed as a security issue. Why do you think it is? Users wasting their *own* time is different for wasting the time of a remote server in a DoS attack.
|
msg226112 - (view) |
Author: Antoine Pitrou (pitrou) * |
Date: 2014-08-30 01:26 |
A server can include a HTTP client. It's actually quite common these days, given the number of services which are exposed as REST APIs.
Now, unless Georg plans to do a new 3.2 release some day, it's not very useful to discuss the inclusion of the fix in 3.2.
|
msg227890 - (view) |
Author: Roundup Robot (python-dev) |
Date: 2014-09-30 12:47 |
New changeset deee87d61436 by Georg Brandl in branch '3.2':
Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
https://hg.python.org/cpython/rev/deee87d61436
|
|
Date |
User |
Action |
Args |
2022-04-11 14:57:36 | admin | set | github: 60241 |
2014-09-30 13:17:53 | berker.peksag | set | stage: patch review -> resolved |
2014-09-30 12:50:04 | georg.brandl | set | status: open -> closed resolution: fixed |
2014-09-30 12:47:28 | python-dev | set | messages:
+ msg227890 |
2014-08-30 01:26:32 | pitrou | set | messages:
+ msg226112 |
2014-08-29 23:56:50 | terry.reedy | set | messages:
+ msg226110 |
2014-08-29 20:48:50 | Arfrever | set | status: closed -> open resolution: fixed -> (no value) messages:
+ msg226079
versions:
+ Python 3.2, - Python 3.4, Python 3.5 |
2014-08-29 20:43:25 | terry.reedy | set | status: open -> closed
nosy:
+ terry.reedy messages:
+ msg226078
resolution: fixed |
2014-08-29 20:40:52 | terry.reedy | set | stage: needs patch -> patch review versions:
+ Python 3.4, Python 3.5, - Python 3.1, Python 3.2 |
2014-08-05 04:16:18 | berker.peksag | set | nosy:
+ berker.peksag
messages:
+ msg224803 versions:
- Python 2.7 |
2014-08-05 04:15:03 | python-dev | set | messages:
+ msg224802 |
2014-08-02 14:00:41 | puppet | set | files:
+ issue16037_py27_v3.diff nosy:
+ puppet messages:
+ msg224568
|
2014-07-03 20:19:01 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages:
+ msg222210
|
2014-03-12 10:25:54 | Lukasa | set | messages:
+ msg213240 |
2014-03-12 10:23:06 | Lukasa | set | nosy:
+ Lukasa
|
2014-02-03 15:49:34 | BreamoreBoy | set | nosy:
- BreamoreBoy
|
2013-10-27 06:45:59 | georg.brandl | set | messages:
+ msg201429 versions:
- Python 3.3, Python 3.4 |
2013-10-27 06:39:04 | python-dev | set | messages:
+ msg201424 |
2013-10-25 16:39:10 | nailor | set | files:
+ issue16037_py32_v3.patch
messages:
+ msg201255 |
2013-10-24 18:47:36 | nailor | set | messages:
+ msg201162 |
2013-10-19 01:22:47 | larry | set | messages:
+ msg200349 |
2013-09-29 19:11:02 | Arfrever | set | title: httplib: header parsing is not unlimited -> httplib: header parsing is unlimited |
2013-09-29 18:02:43 | barry | set | messages:
+ msg198621 versions:
- Python 2.6 |
2013-09-29 18:01:31 | python-dev | set | messages:
+ msg198620 |
2013-09-29 17:58:39 | barry | set | messages:
+ msg198619 |
2013-09-29 17:55:20 | nailor | set | messages:
+ msg198618 |
2013-09-29 17:24:58 | barry | set | messages:
+ msg198610 |
2013-09-15 19:42:12 | Arfrever | set | title: httplib: header parsing is not delimited -> httplib: header parsing is not unlimited versions:
+ Python 3.1 |
2013-09-04 10:20:07 | nailor | set | files:
+ issue16037_py32_v2.patch |
2013-09-04 10:20:03 | nailor | set | files:
+ issue16037_py27_v2.patch |
2013-09-04 10:19:58 | nailor | set | files:
+ issue16037_py26.patch
messages:
+ msg196898 |
2013-09-03 18:35:18 | barry | set | priority: critical -> release blocker
messages:
+ msg196862 |
2013-04-18 18:08:45 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages:
+ msg187276
|
2013-03-23 14:45:23 | benjamin.peterson | set | priority: release blocker -> critical
messages:
+ msg185055 |
2013-02-23 19:52:37 | nailor | set | files:
+ issue16037_py32.patch
messages:
+ msg182805 |
2013-02-23 19:45:33 | nailor | set | files:
+ issue16037_py27.patch
nosy:
+ nailor messages:
+ msg182803
keywords:
+ patch |
2013-02-22 23:33:45 | Arfrever | set | nosy:
+ Arfrever
|
2013-02-20 22:26:33 | barry | set | nosy:
+ barry
versions:
+ Python 2.6 |
2013-02-15 23:58:46 | christian.heimes | set | messages:
+ msg182194 |
2013-02-04 17:12:24 | christian.heimes | set | priority: critical -> release blocker nosy:
+ benjamin.peterson, georg.brandl, larry
|
2013-01-20 14:39:08 | christian.heimes | set | priority: normal -> critical assignee: christian.heimes stage: needs patch versions:
+ Python 3.4 |
2012-09-25 12:30:37 | pitrou | set | nosy:
+ pitrou messages:
+ msg171258
|
2012-09-25 11:31:23 | christian.heimes | set | messages:
+ msg171251 |
2012-09-25 11:29:54 | python-dev | set | nosy:
+ python-dev messages:
+ msg171250
|
2012-09-25 10:25:22 | christian.heimes | create | |