Blame SOURCES/00368-CVE-2021-3737.patch

81fea5
From f7fb35b563a9182c22fbdd03c72ec3724dafe918 Mon Sep 17 00:00:00 2001
81fea5
From: Gen Xu <xgbarry@gmail.com>
81fea5
Date: Wed, 5 May 2021 15:42:41 -0700
81fea5
Subject: [PATCH] bpo-44022: Fix http client infinite line reading (DoS) after
81fea5
 a HTTP 100 Continue (GH-25916)
81fea5
81fea5
Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.
81fea5
81fea5
Co-authored-by: Gregory P. Smith <greg@krypto.org>
81fea5
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)
81fea5
81fea5
Co-authored-by: Gen Xu <xgbarry@gmail.com>
81fea5
---
81fea5
 Lib/http/client.py                            | 38 ++++++++++---------
81fea5
 Lib/test/test_httplib.py                      | 10 ++++-
81fea5
 .../2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst  |  2 +
81fea5
 3 files changed, 32 insertions(+), 18 deletions(-)
81fea5
 create mode 100644 Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
81fea5
81fea5
diff --git a/Lib/http/client.py b/Lib/http/client.py
81fea5
index 53581eca20587..07e675fac5981 100644
81fea5
--- a/Lib/http/client.py
81fea5
+++ b/Lib/http/client.py
81fea5
@@ -205,15 +205,11 @@ def getallmatchingheaders(self, name):
81fea5
                 lst.append(line)
81fea5
         return lst
81fea5
 
81fea5
-def parse_headers(fp, _class=HTTPMessage):
81fea5
-    """Parses only RFC2822 headers from a file pointer.
81fea5
-
81fea5
-    email Parser wants to see strings rather than bytes.
81fea5
-    But a TextIOWrapper around self.rfile would buffer too many bytes
81fea5
-    from the stream, bytes which we later need to read as bytes.
81fea5
-    So we read the correct bytes here, as bytes, for email Parser
81fea5
-    to parse.
81fea5
+def _read_headers(fp):
81fea5
+    """Reads potential header lines into a list from a file pointer.
81fea5
 
81fea5
+    Length of line is limited by _MAXLINE, and number of
81fea5
+    headers is limited by _MAXHEADERS.
81fea5
     """
81fea5
     headers = []
81fea5
     while True:
81fea5
@@ -225,6 +221,19 @@ def parse_headers(fp, _class=HTTPMessage):
81fea5
             raise HTTPException("got more than %d headers" % _MAXHEADERS)
81fea5
         if line in (b'\r\n', b'\n', b''):
81fea5
             break
81fea5
+    return headers
81fea5
+
81fea5
+def parse_headers(fp, _class=HTTPMessage):
81fea5
+    """Parses only RFC2822 headers from a file pointer.
81fea5
+
81fea5
+    email Parser wants to see strings rather than bytes.
81fea5
+    But a TextIOWrapper around self.rfile would buffer too many bytes
81fea5
+    from the stream, bytes which we later need to read as bytes.
81fea5
+    So we read the correct bytes here, as bytes, for email Parser
81fea5
+    to parse.
81fea5
+
81fea5
+    """
81fea5
+    headers = _read_headers(fp)
81fea5
     hstring = b''.join(headers).decode('iso-8859-1')
81fea5
     return email.parser.Parser(_class=_class).parsestr(hstring)
81fea5
 
81fea5
@@ -312,15 +321,10 @@ def begin(self):
81fea5
             if status != CONTINUE:
81fea5
                 break
81fea5
             # skip the header from the 100 response
81fea5
-            while True:
81fea5
-                skip = self.fp.readline(_MAXLINE + 1)
81fea5
-                if len(skip) > _MAXLINE:
81fea5
-                    raise LineTooLong("header line")
81fea5
-                skip = skip.strip()
81fea5
-                if not skip:
81fea5
-                    break
81fea5
-                if self.debuglevel > 0:
81fea5
-                    print("header:", skip)
81fea5
+            skipped_headers = _read_headers(self.fp)
81fea5
+            if self.debuglevel > 0:
81fea5
+                print("headers:", skipped_headers)
81fea5
+            del skipped_headers
81fea5
 
81fea5
         self.code = self.status = status
81fea5
         self.reason = reason.strip()
81fea5
diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
81fea5
index 03e049b13fd21..0db287507c7bf 100644
81fea5
--- a/Lib/test/test_httplib.py
81fea5
+++ b/Lib/test/test_httplib.py
81fea5
@@ -971,6 +971,14 @@ def test_overflowing_header_line(self):
81fea5
         resp = client.HTTPResponse(FakeSocket(body))
81fea5
         self.assertRaises(client.LineTooLong, resp.begin)
81fea5
 
81fea5
+    def test_overflowing_header_limit_after_100(self):
81fea5
+        body = (
81fea5
+            'HTTP/1.1 100 OK\r\n'
81fea5
+            'r\n' * 32768
81fea5
+        )
81fea5
+        resp = client.HTTPResponse(FakeSocket(body))
81fea5
+        self.assertRaises(client.HTTPException, resp.begin)
81fea5
+
81fea5
     def test_overflowing_chunked_line(self):
81fea5
         body = (
81fea5
             'HTTP/1.1 200 OK\r\n'
81fea5
@@ -1377,7 +1385,7 @@ def readline(self, limit):
81fea5
 class OfflineTest(TestCase):
81fea5
     def test_all(self):
81fea5
         # Documented objects defined in the module should be in __all__
81fea5
-        expected = {"responses"}  # White-list documented dict() object
81fea5
+        expected = {"responses"}  # Allowlist documented dict() object
81fea5
         # HTTPMessage, parse_headers(), and the HTTP status code constants are
81fea5
         # intentionally omitted for simplicity
81fea5
         blacklist = {"HTTPMessage", "parse_headers"}
81fea5
diff --git a/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
81fea5
new file mode 100644
81fea5
index 0000000000000..cf6b63e396155
81fea5
--- /dev/null
81fea5
+++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
81fea5
@@ -0,0 +1,2 @@
81fea5
+mod:`http.client` now avoids infinitely reading potential HTTP headers after a
81fea5
+``100 Continue`` status response from the server.