for security reasons. Initial patch by Ross Lagerwall.
"""
try:
- self.raw_requestline = self.rfile.readline()
+ self.raw_requestline = self.rfile.readline(65537)
+ if len(self.raw_requestline) > 65536:
+ self.requestline = ''
+ self.request_version = ''
+ self.command = ''
+ self.send_error(414)
+ return
if not self.raw_requestline:
self.close_connection = 1
return
self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
self.handler = usual_handler # Restore to avoid breaking any subsequent tests.
+ def test_request_length(self):
+ # Issue #10714: huge request lines are discarded, to avoid Denial
+ # of Service attacks.
+ result = self.send_typical_request(b'GET ' + b'x' * 65537)
+ self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
+ self.assertFalse(self.handler.get_called)
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
""" Test url parsing """
Ivan Krstić
Andrew Kuchling
Vladimir Kushnir
+Ross Lagerwall
Cameron Laird
Jean-Baptiste "Jiba" Lamy
Torsten Landschoff
Library
-------
+- Issue #10714: Limit length of incoming request in http.server to 65536 bytes
+ for security reasons. Initial patch by Ross Lagerwall.
+
- Issue #9558: Fix distutils.command.build_ext with VS 8.0.
- Issue #10667: Fast path for collections.Counter().
projects / python / commitdiff