Issue 10714: httpserver request length (original) (raw)

Created on 2010-12-16 04:48 by rosslagerwall, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
httpserver_py3k.patch	rosslagerwall,2010-12-16 04:48	py3k patch to limit length + unittest
httpserver_py3k_v2.patch	rosslagerwall,2010-12-16 16:20	updated to use threading & not hardcode port

Messages (4)
msg124106 - (view)	Author: Ross Lagerwall (rosslagerwall)	Date: 2010-12-16 04:48
BaseHTTPRequestHandler in http.server does not limit the length of the request line so a malicious client can cause the server to run out of memory with a malicious request. This patch limits the length to 64K (like Apache) and sends Error 414 if it exceeds this.
msg124135 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2010-12-16 15:29
Thanks for the patch. First, there's no need to use multiprocessing here. Threading would be sufficient. Second, you shouldn't use an explicit port number, but instead let the server bind itself to whatever port is available (I think 0 using as the port number achieves that).
msg124137 - (view)	Author: Ross Lagerwall (rosslagerwall)	Date: 2010-12-16 16:20
OK, here is an updated patch using threading & 0 as a port number.
msg124139 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2010-12-16 17:12
It turns out the test could be simplified a lot by reusing the existing infrastructure. I've committed the modified patch in r87317 (3.2), r87318 (3.1) and r87320 (2.7). Thank you!

History
Date	User	Action	Args
2022-04-11 14:57:10	admin	set	github: 54923
2010-12-16 17:12:33	pitrou	set	status: open -> closednosy:pitrou, rosslagerwallmessages: + resolution: fixedstage: resolved
2010-12-16 16:20:34	rosslagerwall	set	files: + httpserver_py3k_v2.patchnosy:pitrou, rosslagerwallmessages: +
2010-12-16 15:29:28	pitrou	set	nosy:pitrou, rosslagerwallmessages: + versions: + Python 3.1, Python 2.7
2010-12-16 04:53:55	rosslagerwall	set	nosy: + pitrou
2010-12-16 04:48:10	rosslagerwall	create