Issue 7013: Httplib read routine is not tolerant to not well-formed chunked http responses. (original) (raw)

Issue7013

Created on 2009-09-28 16:40 by Andrei Korostelev, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
httplib.python-2.5.diff Andrei Korostelev,2009-09-28 16:40 Patch for Python-2.5
httplib.python-2.6.2.diff Andrei Korostelev,2009-09-28 16:45 Patch for Python-2.6.2
httplib.python-3.1.1.diff Andrei Korostelev,2009-09-28 16:50 Patch for Python-3.1.1
Messages (5)
msg93215 - (view) Author: Andrei Korostelev (Andrei Korostelev) Date: 2009-09-28 16:40
HTTPResponse._read_chunked cannot handle "slightly" ill-formed HTTP response not ended with 0 chunk-size. I did not make an analysis what type of webservers generate such responses, but one of them is bing.com (former msn.com). Example correct chunked http response: HTTP/1.1 200 OK Content-Type: text/plain Transfer-Encoding: chunked B first chunk A last chunk 0 Example chunked http rsponse not ended with zero length: HTTP/1.1 200 OK Content-Type: text/plain Transfer-Encoding: chunked B first chunk A last chunk Suggested solution: when an empty line is met where a hexadecimal chunk-size is expected, treat it as the end of HTTP response. --- C:\Python25\Lib\httplib.py.orig 2008-02-12 20:48:24.000000000 +-0200 +++ C:\Python25\Lib\httplib.py.patched 2009-09-28 18:30:33.000000000 +-0200 @@ -542,12 +542,16 @@ while True: if chunk_left is None: line = self.fp.readline() i = line.find(';') if i >= 0: line = line[:i] # strip chunk-extensions + # handle ill-formed response not ended with 0 chunk-size + line = line.strip() + if not line: + break chunk_left = int(line, 16) if chunk_left == 0: break if amt is None: value += self._safe_read(chunk_left) elif amt < chunk_left: Attached patches for Python-2.5, Python-2.6 and Python-3.1.
msg93216 - (view) Author: Andrei Korostelev (Andrei Korostelev) Date: 2009-09-28 16:45
Patch for Python-2.6
msg93218 - (view) Author: Andrei Korostelev (Andrei Korostelev) Date: 2009-09-28 16:50
Added patch for python-3.1.1
msg112710 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2010-08-03 22:29
When appropriate, patches should have new tests also. Patch looks simple, but I cannot review correctness or whether this could have a negative effect, like stopping too soon. This seems to be a rare need.
msg131186 - (view) Author: Florent Xicluna (flox) * (Python committer) Date: 2011-03-16 22:28
Duplicate of #900744
History
Date User Action Args
2022-04-11 14:56:53 admin set github: 51262
2011-03-16 22:28:12 flox set status: open -> closedsuperseder: catch invalid chunk length in httplib read routinemessages: + nosy:terry.reedy, orsenthil, dstanek, flox, Andrei Korostelevresolution: duplicate
2011-03-16 15:30:29 flox set nosy: + flox
2010-12-15 19:55:55 pitrou set assignee: orsenthilnosy: + orsenthil
2010-08-03 22:33:08 dstanek set nosy: + dstanek
2010-08-03 22:29:16 terry.reedy set versions: + Python 2.7, Python 3.2, - Python 2.6, Python 2.5nosy: + terry.reedymessages: + stage: test needed
2009-09-28 16:50:53 Andrei Korostelev set files: + httplib.python-3.1.1.diffmessages: +
2009-09-28 16:45:45 Andrei Korostelev set files: + httplib.python-2.6.2.diffmessages: +
2009-09-28 16:40:29 Andrei Korostelev create