Blame SOURCES/00368-CVE-2021-3737.patch

8aa391
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
8aa391
From: Lumir Balhar <lbalhar@redhat.com>
8aa391
Date: Fri, 17 Sep 2021 07:56:50 +0200
8aa391
Subject: [PATCH] 00368-CVE-2021-3737.patch
8aa391
8aa391
00368 #
8aa391
CVE-2021-3737: http client infinite line reading (DoS) after a HTTP 100 Continue
8aa391
8aa391
Fixes http.client potential denial of service where it could get stuck reading
8aa391
lines from a malicious server after a 100 Continue response.
8aa391
8aa391
Backported from Python 3.
8aa391
8aa391
Co-authored-by: Gregory P. Smith <greg@krypto.org>
8aa391
Co-authored-by: Gen Xu <xgbarry@gmail.com>
8aa391
---
8aa391
 Lib/httplib.py           | 32 +++++++++++++++++++++++---------
8aa391
 Lib/test/test_httplib.py |  8 ++++++++
8aa391
 2 files changed, 31 insertions(+), 9 deletions(-)
8aa391
8aa391
diff --git a/Lib/httplib.py b/Lib/httplib.py
8aa391
index a63677477d5..f9a27619e62 100644
8aa391
--- a/Lib/httplib.py
8aa391
+++ b/Lib/httplib.py
8aa391
@@ -365,6 +365,25 @@ class HTTPMessage(mimetools.Message):
8aa391
                 # It's not a header line; skip it and try the next line.
8aa391
                 self.status = 'Non-header line where header expected'
8aa391
 
8aa391
+
8aa391
+def _read_headers(fp):
8aa391
+    """Reads potential header lines into a list from a file pointer.
8aa391
+    Length of line is limited by _MAXLINE, and number of
8aa391
+    headers is limited by _MAXHEADERS.
8aa391
+    """
8aa391
+    headers = []
8aa391
+    while True:
8aa391
+        line = fp.readline(_MAXLINE + 1)
8aa391
+        if len(line) > _MAXLINE:
8aa391
+            raise LineTooLong("header line")
8aa391
+        headers.append(line)
8aa391
+        if len(headers) > _MAXHEADERS:
8aa391
+            raise HTTPException("got more than %d headers" % _MAXHEADERS)
8aa391
+        if line in (b'\r\n', b'\n', b''):
8aa391
+            break
8aa391
+    return headers
8aa391
+
8aa391
+
8aa391
 class HTTPResponse:
8aa391
 
8aa391
     # strict: If true, raise BadStatusLine if the status line can't be
8aa391
@@ -453,15 +472,10 @@ class HTTPResponse:
8aa391
             if status != CONTINUE:
8aa391
                 break
8aa391
             # skip the header from the 100 response
8aa391
-            while True:
8aa391
-                skip = self.fp.readline(_MAXLINE + 1)
8aa391
-                if len(skip) > _MAXLINE:
8aa391
-                    raise LineTooLong("header line")
8aa391
-                skip = skip.strip()
8aa391
-                if not skip:
8aa391
-                    break
8aa391
-                if self.debuglevel > 0:
8aa391
-                    print "header:", skip
8aa391
+            skipped_headers = _read_headers(self.fp)
8aa391
+            if self.debuglevel > 0:
8aa391
+                print("headers:", skipped_headers)
8aa391
+            del skipped_headers
8aa391
 
8aa391
         self.status = status
8aa391
         self.reason = reason.strip()
8aa391
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
8aa391
index b5fec9aa1ec..d05c0fc28d2 100644
8aa391
--- a/Lib/test/test_httplib.py
8aa391
+++ b/Lib/test/test_httplib.py
8aa391
@@ -700,6 +700,14 @@ class BasicTest(TestCase):
8aa391
         resp = httplib.HTTPResponse(FakeSocket(body))
8aa391
         self.assertRaises(httplib.LineTooLong, resp.begin)
8aa391
 
8aa391
+    def test_overflowing_header_limit_after_100(self):
8aa391
+        body = (
8aa391
+            'HTTP/1.1 100 OK\r\n'
8aa391
+            'r\n' * 32768
8aa391
+        )
8aa391
+        resp = httplib.HTTPResponse(FakeSocket(body))
8aa391
+        self.assertRaises(httplib.HTTPException, resp.begin)
8aa391
+
8aa391
     def test_overflowing_chunked_line(self):
8aa391
         body = (
8aa391
             'HTTP/1.1 200 OK\r\n'