This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2012年09月25日 10:25 by christian.heimes, last changed 2022年04月11日 14:57 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| issue16037_py27.patch | nailor, 2013年02月23日 19:45 | |||
| issue16037_py32.patch | nailor, 2013年02月23日 19:52 | |||
| issue16037_py26.patch | nailor, 2013年09月04日 10:19 | review | ||
| issue16037_py27_v2.patch | nailor, 2013年09月04日 10:20 | review | ||
| issue16037_py32_v2.patch | nailor, 2013年09月04日 10:20 | review | ||
| issue16037_py32_v3.patch | nailor, 2013年10月25日 16:39 | review | ||
| issue16037_py27_v3.diff | puppet, 2014年08月02日 14:00 | review | ||
| Messages (31) | |||
|---|---|---|---|
| msg171240 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2012年09月25日 10:25 | |
The httplib module / package can read arbitrary amounts of data from its socket when it's parsing the HTTP header. This may lead to issues when a user connects to a broken HTTP server or something that isn't a HTTP at all. The issue can be broken up into two parts: parsing the HTTP status line parsing and parsing the remaining HTTP headers.
Reading and parsing of the HTTP status line is already limited in Python 3.x. Python 2.7 and lower may read arbitrary amounts of bytes from the socket until it finds a newline char. The small patch below is a backport of the Python 3.x behavior to 2.7:
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -362,7 +362,9 @@
def _read_status(self):
# Initialize with Simple-Response defaults
- line = self.fp.readline()
+ line = self.fp.readline(_MAXLINE + 1)
+ if len(line) > _MAXLINE:
+ raise LineTooLong("header line")
if self.debuglevel > 0:
print "reply:", repr(line)
if not line:
Both Python 2 and Python 3 accept an unlimited count of HTTP headers with a maximum length of 64k each. As headers are accumulated in an list it may consume lots of memory. I suggest that we limit the maximum amount of HTTP header lines to a sane value. How does 100 sound to you?
|
|||
| msg171250 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2012年09月25日 11:29 | |
New changeset 8a22a2804a66 by Christian Heimes in branch '2.7': Issue #16037: Limit httplib's _read_status() function to work around broken http://hg.python.org/cpython/rev/8a22a2804a66 |
|||
| msg171251 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2012年09月25日 11:31 | |
The readline() limitation in _read_status() was added at some point in the 3.2 line. Python 3.1 has an unlimited readline(). |
|||
| msg171258 - (view) | Author: Antoine Pitrou (pitrou) * (Python committer) | Date: 2012年09月25日 12:30 | |
100 headers sounds more than enough for everybody. |
|||
| msg182194 - (view) | Author: Christian Heimes (christian.heimes) * (Python committer) | Date: 2013年02月15日 23:58 | |
CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib |
|||
| msg182803 - (view) | Author: Jyrki Pulliainen (nailor) * | Date: 2013年02月23日 19:45 | |
Here's a patch that limits the headers to 100. If more than _MAXHEADERS headers are read, this raises exception TooMuchHeaders. The patch is for 2.7, I'll cook one for 3.2 too. |
|||
| msg182805 - (view) | Author: Jyrki Pulliainen (nailor) * | Date: 2013年02月23日 19:52 | |
...and here's the patch for 3.2 |
|||
| msg185055 - (view) | Author: Benjamin Peterson (benjamin.peterson) * (Python committer) | Date: 2013年03月23日 14:45 | |
Not blocking 2.7.4 as discussed on mailing list. |
|||
| msg187276 - (view) | Author: Mark Lawrence (BreamoreBoy) * | Date: 2013年04月18日 18:08 | |
Patches LGTM but I suggest TooManyHeaders instead of TooMuchHeaders. I've tried the 3.2 patch against the latest default repo on Windows Vista and it applies cleanly. All tests passed so looks as if this could be committed. |
|||
| msg196862 - (view) | Author: Barry A. Warsaw (barry) * (Python committer) | Date: 2013年09月03日 18:35 | |
blocker for 2.6.9 |
|||
| msg196898 - (view) | Author: Jyrki Pulliainen (nailor) * | Date: 2013年09月04日 10:19 | |
Reworded TooMuch to TooMany and made a patch for 2.6 too (2.7 didn't apply cleanly there) |
|||
| msg198610 - (view) | Author: Barry A. Warsaw (barry) * (Python committer) | Date: 2013年09月29日 17:24 | |
As we discussed in other issues regarding the similar problem, I don't really want to introduce a new exception in a point release of 2.6. Is there any reason not to just raise HTTPException with the error message text? Code that has to work across multiple 2.6.X versions won't be able to import the new exception, and thus cannot rely on it anyway. If you agree, I'll make that change when I apply this patch. |
|||
| msg198618 - (view) | Author: Jyrki Pulliainen (nailor) * | Date: 2013年09月29日 17:55 | |
I'm fine with not introducing a new exception for 2.6 (or any other version for that matter), so go for it :) |
|||
| msg198619 - (view) | Author: Barry A. Warsaw (barry) * (Python committer) | Date: 2013年09月29日 17:58 | |
I'm just going to go ahead and commit this patch to 2.6 with the change I mentioned. Does anything else need to be done for 2.6? |
|||
| msg198620 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2013年09月29日 18:01 | |
New changeset 582e5072ff89 by Barry Warsaw in branch '2.6': - Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more http://hg.python.org/cpython/rev/582e5072ff89 |
|||
| msg198621 - (view) | Author: Barry A. Warsaw (barry) * (Python committer) | Date: 2013年09月29日 18:02 | |
Thanks! |
|||
| msg200349 - (view) | Author: Larry Hastings (larry) * (Python committer) | Date: 2013年10月19日 01:22 | |
Ping. Please fix before "beta 1". |
|||
| msg201162 - (view) | Author: Jyrki Pulliainen (nailor) * | Date: 2013年10月24日 18:47 | |
Patch for py32 applies cleanly on 3.4 too, this should be good to go |
|||
| msg201255 - (view) | Author: Jyrki Pulliainen (nailor) * | Date: 2013年10月25日 16:39 | |
Third version of the 3.2 patch, this time with documentation of the exception TooManyHeaders |
|||
| msg201424 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2013年10月27日 06:39 | |
New changeset e445d02e5306 by Georg Brandl in branch '3.3': Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than http://hg.python.org/cpython/rev/e445d02e5306 |
|||
| msg201429 - (view) | Author: Georg Brandl (georg.brandl) * (Python committer) | Date: 2013年10月27日 06:45 | |
Also merged to default. |
|||
| msg213240 - (view) | Author: Cory Benfield (Lukasa) * | Date: 2014年03月12日 10:25 | |
I presume Barry's disinclination to merge this to 2.6 with a new exception applies equally to 2.7, which is why this hasn't been merged to 2.7 yet? I'm happy to review an updated 2.7 patch that raises an HTTPException if that's what we need to keep this moving. |
|||
| msg222210 - (view) | Author: Mark Lawrence (BreamoreBoy) * | Date: 2014年07月03日 20:19 | |
Is any further work needed on this and similar issues #16038, #16040, #16041, #16042 and #16043 ? |
|||
| msg224568 - (view) | Author: Daniel Eriksson (puppet) * | Date: 2014年08月02日 14:00 | |
Updated the patch for 2.7 to raise HTTPException instead of a new Exception. |
|||
| msg224802 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2014年08月05日 04:15 | |
New changeset 5e310c6a8520 by Berker Peksag in branch '2.7': Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more http://hg.python.org/cpython/rev/5e310c6a8520 |
|||
| msg224803 - (view) | Author: Berker Peksag (berker.peksag) * (Python committer) | Date: 2014年08月05日 04:16 | |
Thanks for the patches Jyrki and Daniel. |
|||
| msg226078 - (view) | Author: Terry J. Reedy (terry.reedy) * (Python committer) | Date: 2014年08月29日 20:43 | |
Looking further, already fixed in 3.x |
|||
| msg226079 - (view) | Author: Arfrever Frehtes Taifersar Arahesis (Arfrever) * (Python triager) | Date: 2014年08月29日 20:48 | |
Python 3.2 still receives security fixes. |
|||
| msg226110 - (view) | Author: Terry J. Reedy (terry.reedy) * (Python committer) | Date: 2014年08月29日 23:56 | |
This was never discussed as a security issue. Why do you think it is? Users wasting their *own* time is different for wasting the time of a remote server in a DoS attack. |
|||
| msg226112 - (view) | Author: Antoine Pitrou (pitrou) * (Python committer) | Date: 2014年08月30日 01:26 | |
A server can include a HTTP client. It's actually quite common these days, given the number of services which are exposed as REST APIs. Now, unless Georg plans to do a new 3.2 release some day, it's not very useful to discuss the inclusion of the fix in 3.2. |
|||
| msg227890 - (view) | Author: Roundup Robot (python-dev) (Python triager) | Date: 2014年09月30日 12:47 | |
New changeset deee87d61436 by Georg Brandl in branch '3.2': Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than https://hg.python.org/cpython/rev/deee87d61436 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:57:36 | admin | set | github: 60241 |
| 2014年09月30日 13:17:53 | berker.peksag | set | stage: patch review -> resolved |
| 2014年09月30日 12:50:04 | georg.brandl | set | status: open -> closed resolution: fixed |
| 2014年09月30日 12:47:28 | python-dev | set | messages: + msg227890 |
| 2014年08月30日 01:26:32 | pitrou | set | messages: + msg226112 |
| 2014年08月29日 23:56:50 | terry.reedy | set | messages: + msg226110 |
| 2014年08月29日 20:48:50 | Arfrever | set | status: closed -> open resolution: fixed -> (no value) messages: + msg226079 versions: + Python 3.2, - Python 3.4, Python 3.5 |
| 2014年08月29日 20:43:25 | terry.reedy | set | status: open -> closed nosy: + terry.reedy messages: + msg226078 resolution: fixed |
| 2014年08月29日 20:40:52 | terry.reedy | set | stage: needs patch -> patch review versions: + Python 3.4, Python 3.5, - Python 3.1, Python 3.2 |
| 2014年08月05日 04:16:18 | berker.peksag | set | nosy:
+ berker.peksag messages: + msg224803 versions: - Python 2.7 |
| 2014年08月05日 04:15:03 | python-dev | set | messages: + msg224802 |
| 2014年08月02日 14:00:41 | puppet | set | files:
+ issue16037_py27_v3.diff nosy: + puppet messages: + msg224568 |
| 2014年07月03日 20:19:01 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages: + msg222210 |
| 2014年03月12日 10:25:54 | Lukasa | set | messages: + msg213240 |
| 2014年03月12日 10:23:06 | Lukasa | set | nosy:
+ Lukasa |
| 2014年02月03日 15:49:34 | BreamoreBoy | set | nosy:
- BreamoreBoy |
| 2013年10月27日 06:45:59 | georg.brandl | set | messages:
+ msg201429 versions: - Python 3.3, Python 3.4 |
| 2013年10月27日 06:39:04 | python-dev | set | messages: + msg201424 |
| 2013年10月25日 16:39:10 | nailor | set | files:
+ issue16037_py32_v3.patch messages: + msg201255 |
| 2013年10月24日 18:47:36 | nailor | set | messages: + msg201162 |
| 2013年10月19日 01:22:47 | larry | set | messages: + msg200349 |
| 2013年09月29日 19:11:02 | Arfrever | set | title: httplib: header parsing is not unlimited -> httplib: header parsing is unlimited |
| 2013年09月29日 18:02:43 | barry | set | messages:
+ msg198621 versions: - Python 2.6 |
| 2013年09月29日 18:01:31 | python-dev | set | messages: + msg198620 |
| 2013年09月29日 17:58:39 | barry | set | messages: + msg198619 |
| 2013年09月29日 17:55:20 | nailor | set | messages: + msg198618 |
| 2013年09月29日 17:24:58 | barry | set | messages: + msg198610 |
| 2013年09月15日 19:42:12 | Arfrever | set | title: httplib: header parsing is not delimited -> httplib: header parsing is not unlimited versions: + Python 3.1 |
| 2013年09月04日 10:20:07 | nailor | set | files: + issue16037_py32_v2.patch |
| 2013年09月04日 10:20:03 | nailor | set | files: + issue16037_py27_v2.patch |
| 2013年09月04日 10:19:58 | nailor | set | files:
+ issue16037_py26.patch messages: + msg196898 |
| 2013年09月03日 18:35:18 | barry | set | priority: critical -> release blocker messages: + msg196862 |
| 2013年04月18日 18:08:45 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages: + msg187276 |
| 2013年03月23日 14:45:23 | benjamin.peterson | set | priority: release blocker -> critical messages: + msg185055 |
| 2013年02月23日 19:52:37 | nailor | set | files:
+ issue16037_py32.patch messages: + msg182805 |
| 2013年02月23日 19:45:33 | nailor | set | files:
+ issue16037_py27.patch nosy: + nailor messages: + msg182803 keywords: + patch |
| 2013年02月22日 23:33:45 | Arfrever | set | nosy:
+ Arfrever |
| 2013年02月20日 22:26:33 | barry | set | nosy:
+ barry versions: + Python 2.6 |
| 2013年02月15日 23:58:46 | christian.heimes | set | messages: + msg182194 |
| 2013年02月04日 17:12:24 | christian.heimes | set | priority: critical -> release blocker nosy: + benjamin.peterson, georg.brandl, larry |
| 2013年01月20日 14:39:08 | christian.heimes | set | priority: normal -> critical assignee: christian.heimes stage: needs patch versions: + Python 3.4 |
| 2012年09月25日 12:30:37 | pitrou | set | nosy:
+ pitrou messages: + msg171258 |
| 2012年09月25日 11:31:23 | christian.heimes | set | messages: + msg171251 |
| 2012年09月25日 11:29:54 | python-dev | set | nosy:
+ python-dev messages: + msg171250 |
| 2012年09月25日 10:25:22 | christian.heimes | create | |