[Python-checkins] cpython (3.2): Issue #22419: Limit the length of incoming HTTP request in wsgiref server to

georg.brandl python-checkins at python.org
Tue Sep 30 15:00:17 CEST 2014

• Previous message: [Python-checkins] cpython (3.2): Lax cookie parsing in http.cookies could be a security issue when combined
• Next message: [Python-checkins] cpython (3.2): Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

https://hg.python.org/cpython/rev/0d115d14adfd
changeset: 92666:0d115d14adfd
branch: 3.2
user: Georg Brandl <georg at python.org>
date: Tue Sep 30 14:56:46 2014 +0200
summary:
 Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
65536 bytes and send a 414 error code for higher lengths. Patch contributed
by Devin Cook.
files:
 Lib/test/test_wsgiref.py | 5 +++++
 Lib/wsgiref/simple_server.py | 9 ++++++++-
 Misc/ACKS | 1 +
 Misc/NEWS | 4 ++++
 4 files changed, 18 insertions(+), 1 deletions(-)
diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
@@ -114,6 +114,11 @@
 out, err = run_amock()
 self.check_hello(out)
 
+ def test_request_length(self):
+ out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n")
+ self.assertEqual(out.splitlines()[0],
+ b"HTTP/1.0 414 Request-URI Too Long")
+
 def test_validated_hello(self):
 out, err = run_amock(validator(hello_app))
 # the middleware doesn't support len(), so content-length isn't there
diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py
--- a/Lib/wsgiref/simple_server.py
+++ b/Lib/wsgiref/simple_server.py
@@ -114,7 +114,14 @@
 def handle(self):
 """Handle a single HTTP request"""
 
- self.raw_requestline = self.rfile.readline()
+ self.raw_requestline = self.rfile.readline(65537)
+ if len(self.raw_requestline) > 65536:
+ self.requestline = ''
+ self.request_version = ''
+ self.command = ''
+ self.send_error(414)
+ return
+
 if not self.parse_request(): # An error code has been sent, just exit
 return
 
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -219,6 +219,7 @@
 Geremy Condra
 Juan José Conti
 Matt Conway
+Devin Cook
 David M. Cooke
 Jason R. Coombs
 Garrett Cooper
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,10 @@
 Library
 -------
 
+- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
+ 65536 bytes and send a 414 error code for higher lengths. Patch contributed
+ by Devin Cook.
+
 - Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
 weakrefs.
 
-- 
Repository URL: https://hg.python.org/cpython

---

• Previous message: [Python-checkins] cpython (3.2): Lax cookie parsing in http.cookies could be a security issue when combined
• Next message: [Python-checkins] cpython (3.2): Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list