]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 21bf3f9)
Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
authorGeorg Brandl <georg@python.org>
Tue, 30 Sep 2014 12:56:46 +0000 (14:56 +0200)
committerGeorg Brandl <georg@python.org>
Tue, 30 Sep 2014 12:56:46 +0000 (14:56 +0200)
65536 bytes and send a 414 error code for higher lengths. Patch contributed
by Devin Cook.

Lib/test/test_wsgiref.py patch | blob | history
Lib/wsgiref/simple_server.py patch | blob | history
Misc/ACKS patch | blob | history
Misc/NEWS patch | blob | history

diff --git a/Lib/test/test_wsgiref.py b/Lib/test/test_wsgiref.py
index 08f8d9a604384e317e52e3dffa49d95d6ab889eb..c0bfaa838a7f537cf698ceaa4ff91c7468ac6128 100644 (file)
--- a/Lib/test/test_wsgiref.py
+++ b/Lib/test/test_wsgiref.py
@@ -114,6 +114,11 @@ class IntegrationTests(TestCase):
         out, err = run_amock()
         self.check_hello(out)
 
+    def test_request_length(self):
+        out, err = run_amock(data=b"GET " + (b"x" * 65537) + b" HTTP/1.0\n\n")
+        self.assertEqual(out.splitlines()[0],
+                         b"HTTP/1.0 414 Request-URI Too Long")
+
     def test_validated_hello(self):
         out, err = run_amock(validator(hello_app))
         # the middleware doesn't support len(), so content-length isn't there
diff --git a/Lib/wsgiref/simple_server.py b/Lib/wsgiref/simple_server.py
index af82f953c5329923bfd212f41f418add5af8b992..9c4a83d89821ad57724d3319890e628ccc23836e 100644 (file)
--- a/Lib/wsgiref/simple_server.py
+++ b/Lib/wsgiref/simple_server.py
@@ -114,7 +114,14 @@ class WSGIRequestHandler(BaseHTTPRequestHandler):
     def handle(self):
         """Handle a single HTTP request"""
 
-        self.raw_requestline = self.rfile.readline()
+        self.raw_requestline = self.rfile.readline(65537)
+        if len(self.raw_requestline) > 65536:
+            self.requestline = ''
+            self.request_version = ''
+            self.command = ''
+            self.send_error(414)
+            return
+
         if not self.parse_request(): # An error code has been sent, just exit
             return
 
diff --git a/Misc/ACKS b/Misc/ACKS
index c1df48054f592860ba1d3c5e975962dbe86e2624..c183dc78f3dd7b72d8b19ca6714dc29b2808f0db 100644 (file)
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -219,6 +219,7 @@ Denver Coneybeare
 Geremy Condra
 Juan José Conti
 Matt Conway
+Devin Cook
 David M. Cooke
 Jason R. Coombs
 Garrett Cooper
diff --git a/Misc/NEWS b/Misc/NEWS
index c6df72b0bb04d50a76b14c1658d1440a40441658..d8e61c30388ac8bceffa5ba6870cb9dbaf8f4c77 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,10 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Issue #22419: Limit the length of incoming HTTP request in wsgiref server to
+  65536 bytes and send a 414 error code for higher lengths. Patch contributed
+  by Devin Cook.
+
 - Issue #22517: When a io.BufferedRWPair object is deallocated, clear its
   weakrefs.
 
Unnamed repository; edit this file 'description' to name the repository.