Jyrki Pulliainen added the comment:
Reworded TooMuch to TooMany and made a patch for 2.6 too (2.7 didn't apply
cleanly there)
--
Added file: http://bugs.python.org/file31581/issue16037_py26.patch
___
Python tracker rep...@bugs.python.org
Changes by Jyrki Pulliainen jy...@dywypi.org:
Added file: http://bugs.python.org/file31582/issue16037_py27_v2.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Changes by Jyrki Pulliainen jy...@dywypi.org:
Added file: http://bugs.python.org/file31583/issue16037_py32_v2.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Barry A. Warsaw added the comment:
blocker for 2.6.9
--
priority: critical - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Mark Lawrence added the comment:
Patches LGTM but I suggest TooManyHeaders instead of TooMuchHeaders. I've
tried the 3.2 patch against the latest default repo on Windows Vista and it
applies cleanly. All tests passed so looks as if this could be committed.
--
nosy: +BreamoreBoy
Benjamin Peterson added the comment:
Not blocking 2.7.4 as discussed on mailing list.
--
priority: release blocker - critical
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Jyrki Pulliainen added the comment:
Here's a patch that limits the headers to 100. If more than _MAXHEADERS headers
are read, this raises exception TooMuchHeaders.
The patch is for 2.7, I'll cook one for 3.2 too.
--
keywords: +patch
nosy: +nailor
Added file:
Jyrki Pulliainen added the comment:
...and here's the patch for 3.2
--
Added file: http://bugs.python.org/file29203/issue16037_py32.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
nosy: +Arfrever
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Changes by Barry A. Warsaw ba...@python.org:
--
nosy: +barry
versions: +Python 2.6
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
___
Christian Heimes added the comment:
CVE-2013-1752 Unbound readline() DoS vulnerabilities in Python stdlib
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Changes by Christian Heimes li...@cheimes.de:
--
nosy: +benjamin.peterson, georg.brandl, larry
priority: critical - release blocker
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
Changes by Christian Heimes li...@cheimes.de:
--
assignee: - christian.heimes
priority: normal - critical
stage: - needs patch
versions: +Python 3.4
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
New submission from Christian Heimes:
The httplib module / package can read arbitrary amounts of data from its socket
when it's parsing the HTTP header. This may lead to issues when a user connects
to a broken HTTP server or something that isn't a HTTP at all. The issue can be
broken up into
Roundup Robot added the comment:
New changeset 8a22a2804a66 by Christian Heimes in branch '2.7':
Issue #16037: Limit httplib's _read_status() function to work around broken
http://hg.python.org/cpython/rev/8a22a2804a66
--
nosy: +python-dev
___
Python
Christian Heimes added the comment:
The readline() limitation in _read_status() was added at some point in the 3.2
line. Python 3.1 has an unlimited readline().
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
Antoine Pitrou added the comment:
100 headers sounds more than enough for everybody.
--
nosy: +pitrou
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16037
___
17 matches
Mail list logo