From f0746ca46376647993a47e24051a80fdf679014a Mon Sep 17 00:00:00 2001
From: Georg Brandl <georg@python.org>
Date: Tue, 30 Sep 2014 14:08:04 +0200
Subject: [PATCH] Issue #16037: HTTPMessage.readheaders() raises an
 HTTPException when more than 100 headers are read.  Adapted from patch by
 Jyrki Pulliainen.

---
 Doc/library/http.client.rst | 2 +-
 Lib/http/client.py          | 4 ++++
 Lib/test/test_httplib.py    | 9 +++++++++
 Misc/NEWS                   | 5 ++++-
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/Doc/library/http.client.rst b/Doc/library/http.client.rst
index 7423a4cd36..2f68df751c 100644
--- a/Doc/library/http.client.rst
+++ b/Doc/library/http.client.rst
@@ -169,8 +169,8 @@ The following exceptions are raised as appropriate:
    A subclass of :exc:`HTTPException`.  Raised if a server responds with a HTTP
    status code that we don't understand.
 
-The constants defined in this module are:
 
+The constants defined in this module are:
 
 .. data:: HTTP_PORT
 
diff --git a/Lib/http/client.py b/Lib/http/client.py
index 5466d0618d..f398a64a9f 100644
--- a/Lib/http/client.py
+++ b/Lib/http/client.py
@@ -206,6 +206,8 @@ MAXAMOUNT = 1048576
 
 # maximal line length when calling readline().
 _MAXLINE = 65536
+_MAXHEADERS = 100
+
 
 class HTTPMessage(email.message.Message):
     # XXX The only usage of this method is in
@@ -253,6 +255,8 @@ def parse_headers(fp, _class=HTTPMessage):
         if len(line) > _MAXLINE:
             raise LineTooLong("header line")
         headers.append(line)
+        if len(headers) > _MAXHEADERS:
+            raise HTTPException("got more than %d headers" % _MAXHEADERS)
         if line in (b'\r\n', b'\n', b''):
             break
     hstring = b''.join(headers).decode('iso-8859-1')
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index 420302c332..226e79ecca 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -272,6 +272,15 @@ class BasicTest(TestCase):
         if resp.read():
             self.fail("Did not expect response from HEAD request")
 
+    def test_too_many_headers(self):
+        headers = '\r\n'.join('Header%d: foo' % i
+                              for i in range(client._MAXHEADERS + 1)) + '\r\n'
+        text = ('HTTP/1.1 200 OK\r\n' + headers)
+        s = FakeSocket(text)
+        r = client.HTTPResponse(s)
+        self.assertRaisesRegex(client.HTTPException,
+                               r"got more than \d+ headers", r.begin)
+
     def test_send_file(self):
         expected = (b'GET /foo HTTP/1.1\r\nHost: example.com\r\n'
                     b'Accept-Encoding: identity\r\nContent-Length:')
diff --git a/Misc/NEWS b/Misc/NEWS
index d239d69652..67afa14651 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -1,4 +1,4 @@
-++++++++++
++++++++++++
 Python News
 +++++++++++
 
@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more than
+  100 headers are read.  Adapted from patch by Jyrki Pulliainen.
+
 - Issue #18709: Fix CVE-2013-4238. The SSL module now handles NULL bytes
   inside subjectAltName correctly. Formerly the module has used OpenSSL's
   GENERAL_NAME_print() function to get the string represention of ASN.1
-- 
2.40.0