From: Georg Brandl <georg@python.org>
Date: Sun, 24 Feb 2008 00:03:22 +0000 (+0000)
Subject: #900744: If an invalid chunked-encoding header is sent by a server,
X-Git-Tag: v2.6a1~72
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2363503074a3f1c2dbe934bed0c865d326e34c1a;p=python

#900744: If an invalid chunked-encoding header is sent by a server,
httplib will now raise IncompleteRead and close the connection instead
of raising ValueError.
---

diff --git a/Lib/httplib.py b/Lib/httplib.py
index c7d8e781df..bb4b59e701 100644
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -546,7 +546,13 @@ class HTTPResponse:
                 i = line.find(';')
                 if i >= 0:
                     line = line[:i] # strip chunk-extensions
-                chunk_left = int(line, 16)
+                try:
+                    chunk_left = int(line, 16)
+                except ValueError:
+                    # close the connection as protocol synchronisation is
+                    # probably lost
+                    self.close()
+                    raise IncompleteRead(value)
                 if chunk_left == 0:
                     break
             if amt is None:
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index d312ae5fa9..e9dd9d66c3 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -156,6 +156,35 @@ class BasicTest(TestCase):
         conn.request('GET', '/foo', body)
         self.assertTrue(sock.data.startswith(expected))
 
+    def test_chunked(self):
+        chunked_start = (
+            'HTTP/1.1 200 OK\r\n'
+            'Transfer-Encoding: chunked\r\n\r\n'
+            'a\r\n'
+            'hello worl\r\n'
+            '1\r\n'
+            'd\r\n'
+        )
+        sock = FakeSocket(chunked_start + '0\r\n')
+        resp = httplib.HTTPResponse(sock, method="GET")
+        resp.begin()
+        self.assertEquals(resp.read(), 'hello world')
+        resp.close()
+
+        for x in ('', 'foo\r\n'):
+            sock = FakeSocket(chunked_start + x)
+            resp = httplib.HTTPResponse(sock, method="GET")
+            resp.begin()
+            try:
+                resp.read()
+            except httplib.IncompleteRead, i:
+                self.assertEquals(i.partial, 'hello world')
+            else:
+                self.fail('IncompleteRead expected')
+            finally:
+                resp.close()
+
+
 class OfflineTest(TestCase):
     def test_responses(self):
         self.assertEquals(httplib.responses[httplib.NOT_FOUND], "Not Found")
diff --git a/Misc/NEWS b/Misc/NEWS
index cac693286d..9d9264e0e3 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -441,6 +441,10 @@ Core and builtins
 Library
 -------
 
+- #900744: If an invalid chunked-encoding header is sent by a server,
+  httplib will now raise IncompleteRead and close the connection instead
+  of raising ValueError.
+
 - #1492: The content type of BaseHTTPServer error messages can now be
   overridden.