Author christian.heimes
Recipients christian.heimes
Date 2012-09-25.10:25:21
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1348568722.91.0.654032066819.issue16037@psf.upfronthosting.co.za>
In-reply-to
Content
The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all. The issue can be broken up into two parts: parsing the HTTP status line parsing and parsing the remaining HTTP headers.

Reading and parsing of the HTTP status line is already limited in Python 3.x. Python 2.7 and lower may read arbitrary amounts of bytes from the socket until it finds a newline char. The small patch below is a backport of the Python 3.x behavior to 2.7:

--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -362,7 +362,9 @@

     def _read_status(self):
         # Initialize with Simple-Response defaults
-        line = self.fp.readline()
+        line = self.fp.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise LineTooLong("header line")
         if self.debuglevel > 0:
             print "reply:", repr(line)
         if not line:


Both Python 2 and Python 3 accept an unlimited count of HTTP headers with a maximum length of 64k each. As headers are accumulated in an list it may consume lots of memory. I suggest that we limit the maximum amount of HTTP header lines to a sane value. How does 100 sound to you?
History
Date User Action Args
2012-09-25 10:25:23christian.heimessetrecipients: + christian.heimes
2012-09-25 10:25:22christian.heimessetmessageid: <1348568722.91.0.654032066819.issue16037@psf.upfronthosting.co.za>
2012-09-25 10:25:22christian.heimeslinkissue16037 messages
2012-09-25 10:25:21christian.heimescreate