|
|
ae2451 |
|
|
|
ae2451 |
# HG changeset patch
|
|
|
ae2451 |
# User Berker Peksag <berker.peksag@gmail.com>
|
|
|
ae2451 |
# Date 1407212157 -10800
|
|
|
ae2451 |
# Node ID 5e310c6a8520603bca8bc4b40eaf4f074db47c0d
|
|
|
ae2451 |
# Parent 46c7a724b487295257423a69478392cb01ce74e6
|
|
|
ae2451 |
Issue #16037: HTTPMessage.readheaders() raises an HTTPException when more
|
|
|
ae2451 |
than 100 headers are read.
|
|
|
ae2451 |
|
|
|
ae2451 |
Patch by Jyrki Pulliainen and Daniel Eriksson.
|
|
|
ae2451 |
|
|
|
ae2451 |
diff --git a/Lib/httplib.py b/Lib/httplib.py
|
|
|
ae2451 |
--- a/Lib/httplib.py
|
|
|
ae2451 |
+++ b/Lib/httplib.py
|
|
|
ae2451 |
@@ -215,6 +215,10 @@ MAXAMOUNT = 1048576
|
|
|
ae2451 |
# maximal line length when calling readline().
|
|
|
ae2451 |
_MAXLINE = 65536
|
|
|
ae2451 |
|
|
|
ae2451 |
+# maximum amount of headers accepted
|
|
|
ae2451 |
+_MAXHEADERS = 100
|
|
|
ae2451 |
+
|
|
|
ae2451 |
+
|
|
|
ae2451 |
class HTTPMessage(mimetools.Message):
|
|
|
ae2451 |
|
|
|
ae2451 |
def addheader(self, key, value):
|
|
|
ae2451 |
@@ -271,6 +275,8 @@ class HTTPMessage(mimetools.Message):
|
|
|
ae2451 |
elif self.seekable:
|
|
|
ae2451 |
tell = self.fp.tell
|
|
|
ae2451 |
while True:
|
|
|
ae2451 |
+ if len(hlist) > _MAXHEADERS:
|
|
|
ae2451 |
+ raise HTTPException("got more than %d headers" % _MAXHEADERS)
|
|
|
ae2451 |
if tell:
|
|
|
ae2451 |
try:
|
|
|
ae2451 |
startofline = tell()
|
|
|
ae2451 |
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
|
|
|
ae2451 |
--- a/Lib/test/test_httplib.py
|
|
|
ae2451 |
+++ b/Lib/test/test_httplib.py
|
|
|
ae2451 |
@@ -262,6 +262,13 @@ class BasicTest(TestCase):
|
|
|
ae2451 |
if resp.read() != "":
|
|
|
ae2451 |
self.fail("Did not expect response from HEAD request")
|
|
|
ae2451 |
|
|
|
ae2451 |
+ def test_too_many_headers(self):
|
|
|
ae2451 |
+ headers = '\r\n'.join('Header%d: foo' % i for i in xrange(200)) + '\r\n'
|
|
|
ae2451 |
+ text = ('HTTP/1.1 200 OK\r\n' + headers)
|
|
|
ae2451 |
+ s = FakeSocket(text)
|
|
|
ae2451 |
+ r = httplib.HTTPResponse(s)
|
|
|
ae2451 |
+ self.assertRaises(httplib.HTTPException, r.begin)
|
|
|
ae2451 |
+
|
|
|
ae2451 |
def test_send_file(self):
|
|
|
ae2451 |
expected = 'GET /foo HTTP/1.1\r\nHost: example.com\r\n' \
|
|
|
ae2451 |
'Accept-Encoding: identity\r\nContent-Length:'
|