|
|
8aa391 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
8aa391 |
From: Lumir Balhar <lbalhar@redhat.com>
|
|
|
8aa391 |
Date: Fri, 17 Sep 2021 07:56:50 +0200
|
|
|
8aa391 |
Subject: [PATCH] 00368-CVE-2021-3737.patch
|
|
|
8aa391 |
|
|
|
8aa391 |
00368 #
|
|
|
8aa391 |
CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue
|
|
|
8aa391 |
|
|
|
8aa391 |
Fixes http.client potential denial of service where it could get stuck reading
|
|
|
8aa391 |
lines from a malicious server after a 100 Continue response.
|
|
|
8aa391 |
|
|
|
8aa391 |
Backported from Python 3.
|
|
|
8aa391 |
|
|
|
8aa391 |
Co-authored-by: Gregory P. Smith <greg@krypto.org>
|
|
|
8aa391 |
Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
|
|
8aa391 |
---
|
|
|
8aa391 |
Lib/httplib.py | 32 +++++++++++++++++++++++---------
|
|
|
8aa391 |
Lib/test/test_httplib.py | 8 ++++++++
|
|
|
8aa391 |
2 files changed, 31 insertions(+), 9 deletions(-)
|
|
|
8aa391 |
|
|
|
8aa391 |
diff --git a/Lib/httplib.py b/Lib/httplib.py
|
|
|
8aa391 |
index a63677477d5..f9a27619e62 100644
|
|
|
8aa391 |
--- a/Lib/httplib.py
|
|
|
8aa391 |
+++ b/Lib/httplib.py
|
|
|
8aa391 |
@@ -365,6 +365,25 @@ class HTTPMessage(mimetools.Message):
|
|
|
8aa391 |
# It's not a header line; skip it and try the next line.
|
|
|
8aa391 |
self.status = 'Non-header line where header expected'
|
|
|
8aa391 |
|
|
|
8aa391 |
+
|
|
|
8aa391 |
+def _read_headers(fp):
|
|
|
8aa391 |
+ """Reads potential header lines into a list from a file pointer.
|
|
|
8aa391 |
+ Length of line is limited by _MAXLINE, and number of
|
|
|
8aa391 |
+ headers is limited by _MAXHEADERS.
|
|
|
8aa391 |
+ """
|
|
|
8aa391 |
+ headers = []
|
|
|
8aa391 |
+ while True:
|
|
|
8aa391 |
+ line = fp.readline(_MAXLINE + 1)
|
|
|
8aa391 |
+ if len(line) > _MAXLINE:
|
|
|
8aa391 |
+ raise LineTooLong("header line")
|
|
|
8aa391 |
+ headers.append(line)
|
|
|
8aa391 |
+ if len(headers) > _MAXHEADERS:
|
|
|
8aa391 |
+ raise HTTPException("got more than %d headers" % _MAXHEADERS)
|
|
|
8aa391 |
+ if line in (b'\r\n', b'\n', b''):
|
|
|
8aa391 |
+ break
|
|
|
8aa391 |
+ return headers
|
|
|
8aa391 |
+
|
|
|
8aa391 |
+
|
|
|
8aa391 |
class HTTPResponse:
|
|
|
8aa391 |
|
|
|
8aa391 |
# strict: If true, raise BadStatusLine if the status line can't be
|
|
|
8aa391 |
@@ -453,15 +472,10 @@ class HTTPResponse:
|
|
|
8aa391 |
if status != CONTINUE:
|
|
|
8aa391 |
break
|
|
|
8aa391 |
# skip the header from the 100 response
|
|
|
8aa391 |
- while True:
|
|
|
8aa391 |
- skip = self.fp.readline(_MAXLINE + 1)
|
|
|
8aa391 |
- if len(skip) > _MAXLINE:
|
|
|
8aa391 |
- raise LineTooLong("header line")
|
|
|
8aa391 |
- skip = skip.strip()
|
|
|
8aa391 |
- if not skip:
|
|
|
8aa391 |
- break
|
|
|
8aa391 |
- if self.debuglevel > 0:
|
|
|
8aa391 |
- print "header:", skip
|
|
|
8aa391 |
+ skipped_headers = _read_headers(self.fp)
|
|
|
8aa391 |
+ if self.debuglevel > 0:
|
|
|
8aa391 |
+ print("headers:", skipped_headers)
|
|
|
8aa391 |
+ del skipped_headers
|
|
|
8aa391 |
|
|
|
8aa391 |
self.status = status
|
|
|
8aa391 |
self.reason = reason.strip()
|
|
|
8aa391 |
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
|
|
|
8aa391 |
index b5fec9aa1ec..d05c0fc28d2 100644
|
|
|
8aa391 |
--- a/Lib/test/test_httplib.py
|
|
|
8aa391 |
+++ b/Lib/test/test_httplib.py
|
|
|
8aa391 |
@@ -700,6 +700,14 @@ class BasicTest(TestCase):
|
|
|
8aa391 |
resp = httplib.HTTPResponse(FakeSocket(body))
|
|
|
8aa391 |
self.assertRaises(httplib.LineTooLong, resp.begin)
|
|
|
8aa391 |
|
|
|
8aa391 |
+ def test_overflowing_header_limit_after_100(self):
|
|
|
8aa391 |
+ body = (
|
|
|
8aa391 |
+ 'HTTP/1.1 100 OK\r\n'
|
|
|
8aa391 |
+ 'r\n' * 32768
|
|
|
8aa391 |
+ )
|
|
|
8aa391 |
+ resp = httplib.HTTPResponse(FakeSocket(body))
|
|
|
8aa391 |
+ self.assertRaises(httplib.HTTPException, resp.begin)
|
|
|
8aa391 |
+
|
|
|
8aa391 |
def test_overflowing_chunked_line(self):
|
|
|
8aa391 |
body = (
|
|
|
8aa391 |
'HTTP/1.1 200 OK\r\n'
|