[Python-checkins] cpython (merge 3.3 -> 3.4): Merge from 3.3

senthil.kumaran python-checkins at python.org
Wed Sep 17 10:33:03 CEST 2014 

http://hg.python.org/cpython/rev/ba86978c8ab5
changeset:   92454:ba86978c8ab5
branch:      3.4
parent:      92450:d36c0f2ab821
parent:      92453:a4e0aee1a9b5
user:        Senthil Kumaran <senthil at uthcode.com>
date:        Wed Sep 17 16:31:47 2014 +0800
summary:
  Merge from 3.3

Issue #22419: Limit the length of incoming HTTP request in wsgiref server to 65536 bytes.

files:
  Lib/test/test_wsgiref.py     |  5 +++++
  Lib/wsgiref/simple_server.py |  9 ++++++++-
  Misc/ACKS                    |  1 +
  Misc/NEWS                    |  4 ++++
  4 files changed, 18 insertions(+), 1 deletions(-)


diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
@@ -118,6 +118,11 @@
         out, err = run_amock()
         self.check_hello(out)
 
+    def test_request_length(self):
+        out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n")
+        self.assertEqual(out.splitlines()[0],
+                         b"HTTP/1.0 414 Request-URI Too Long")
+
     def test_validated_hello(self):
         out, err = run_amock(validator(hello_app))
         # the middleware doesn't support len(), so content-length isn't there
diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py
--- a/Lib/wsgiref/simple_server.py
+++ b/Lib/wsgiref/simple_server.py
@@ -115,7 +115,14 @@
     def handle(self):
         """Handle a single HTTP request"""
 
-        self.raw_requestline = self.rfile.readline()
+        self.raw_requestline = self.rfile.readline(65537)
+        if len(self.raw_requestline) > 65536:
+            self.requestline = ''
+            self.request_version = ''
+            self.command = ''
+            self.send_error(414)
+            return
+
         if not self.parse_request(): # An error code has been sent, just exit
             return
 
diff --git a/Misc/ACKS b/Misc/ACKS
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -272,6 +272,7 @@
 Phil Connell
 Juan José Conti
 Matt Conway
+Devin Cook
 David M. Cooke
 Jason R. Coombs
 Garrett Cooper
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -32,6 +32,10 @@
 Library
 -------
 
+- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
+  65536 bytes and send a 414 error code for higher lengths. Patch contributed
+  by Devin Cook.
+
 - Lax cookie parsing in http.cookies could be a security issue when combined
   with non-standard cookie handling in some Web browsers.  Reported by
   Sergey Bobrov.

-- 
Repository URL: http://hg.python.org/cpython

More information about the Python-checkins mailing list