Author tburke
Recipients ezio.melotti, tburke, vstinner
Date 2018-06-26.18:39:29
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1530038369.47.0.56676864532.issue33973@psf.upfronthosting.co.za>
In-reply-to
Content
This causes (admittedly, buggy) clients that would work with a Python 2 server to stop working when the server upgrades to Python 3. To demonstrate, run `python2.7 -m SimpleHTTPServer 8027` in one terminal and `curl -v http://127.0.0.1:8027/你好` in another -- curl reports

    *   Trying 127.0.0.1...
    * TCP_NODELAY set
    * Connected to 127.0.0.1 (127.0.0.1) port 8027 (#0)
    > GET /你好 HTTP/1.1
    > Host: 127.0.0.1:8027
    > User-Agent: curl/7.54.0
    > Accept: */*
    >
    * HTTP 1.0, assume close after body
    < HTTP/1.0 404 File not found
    < Server: SimpleHTTP/0.6 Python/2.7.10
    < Date: Tue, 26 Jun 2018 17:23:25 GMT
    < Content-Type: text/html
    < Connection: close
    <
    <head>
    <title>Error response</title>
    </head>
    <body>
    <h1>Error response</h1>
    <p>Error code 404.
    <p>Message: File not found.
    <p>Error code explanation: 404 = Nothing matches the given URI.
    </body>
    * Closing connection 0

...while repeating the experiment with `python3.6 -m http.server 8036` and `curl -v http://127.0.0.1:8036/你好` gives

    *   Trying 127.0.0.1...
    * TCP_NODELAY set
    * Connected to 127.0.0.1 (127.0.0.1) port 8036 (#0)
    > GET /你好 HTTP/1.1
    > Host: 127.0.0.1:8036
    > User-Agent: curl/7.54.0
    > Accept: */*
    >
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
            "http://www.w3.org/TR/html4/strict.dtd">
    <html>
        <head>
            <meta http-equiv="Content-Type" content="text/html;charset=utf-8">
            <title>Error response</title>
        </head>
        <body>
            <h1>Error response</h1>
            <p>Error code: 400</p>
            <p>Message: Bad request syntax ('GET /ä½\xa0好 HTTP/1.1').</p>
            <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p>
        </body>
    </html>
    * Connection #0 to host 127.0.0.1 left intact

Granted, a well-behaved client would have quoted the UTF-8 '你好' as '%E4%BD%A0%E5%A5%BD' (in which case everything would have behaved as expected), but RFC 7230 is pretty clear that the request-line should be SP-delimited. While it notes that "recipients MAY instead parse on whitespace-delimited word boundaries and, aside from the CRLF terminator, treat any form of whitespace as the SP separator", it goes on to say that "such whitespace includes one or more of the following octets: SP, HTAB, VT (%x0B), FF (%x0C), or bare CR" with no mention of characters like the (ISO-8859-1 encoded) non-breaking space that caused the 400 response.

FWIW, there was a similar unicode-separators-are-not-the-right-separators bug in header parsing a while back: https://bugs.python.org/issue22233
History
Date User Action Args
2018-06-26 18:39:29tburkesetrecipients: + tburke, vstinner, ezio.melotti
2018-06-26 18:39:29tburkesetmessageid: <1530038369.47.0.56676864532.issue33973@psf.upfronthosting.co.za>
2018-06-26 18:39:29tburkelinkissue33973 messages
2018-06-26 18:39:29tburkecreate