(original) (raw)

changeset: 100836:f5247195238f branch: 3.5 parent: 100834:f41d3321007f user: Martin Panter vadmium+py@gmail.com date: Sun Apr 03 00:45:46 2016 +0000 files: Lib/http/server.py Lib/test/test_httpservers.py Misc/NEWS description: Issue #26586: Handle excessive header fields in http.server, by Xiang Zhang diff -r f41d3321007f -r f5247195238f Lib/http/server.py --- a/Lib/http/server.py Sat Apr 02 04:48:27 2016 +0300 +++ b/Lib/http/server.py Sun Apr 03 00:45:46 2016 +0000 @@ -337,6 +337,13 @@ HTTPStatus.BAD_REQUEST, "Line too long") return False + except http.client.HTTPException as err: + self.send_error( + HTTPStatus.REQUEST_HEADER_FIELDS_TOO_LARGE, + "Too many headers", + str(err) + ) + return False conntype = self.headers.get('Connection', "") if conntype.lower() == 'close': diff -r f41d3321007f -r f5247195238f Lib/test/test_httpservers.py --- a/Lib/test/test_httpservers.py Sat Apr 02 04:48:27 2016 +0300 +++ b/Lib/test/test_httpservers.py Sun Apr 03 00:45:46 2016 +0000 @@ -858,6 +858,13 @@ self.assertFalse(self.handler.get_called) self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1') + def test_too_many_headers(self): + result = self.send_typical_request( + b'GET / HTTP/1.1\r\n' + b'X-Foo: bar\r\n' * 101 + b'\r\n') + self.assertEqual(result[0], b'HTTP/1.1 431 Too many headers\r\n') + self.assertFalse(self.handler.get_called) + self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1') + def test_close_connection(self): # handle_one_request() should be repeatedly called until # it sets close_connection diff -r f41d3321007f -r f5247195238f Misc/NEWS --- a/Misc/NEWS Sat Apr 02 04:48:27 2016 +0300 +++ b/Misc/NEWS Sun Apr 03 00:45:46 2016 +0000 @@ -99,6 +99,10 @@ Library ------- +- Issue #26586: In http.server, respond with "413 Request header fields too + large" if there are too many header fields to parse, rather than killing + the connection and raising an unhandled exception. Patch by Xiang Zhang. + - Issue #22854: Change BufferedReader.writable() and BufferedWriter.readable() to always return False. /vadmium+py@gmail.com