Roundup Robot added the comment:
New changeset 25ecf3d0ea03 by Benjamin Peterson in branch '3.4':
handle headers with no key (closes #19996)
https://hg.python.org/cpython/rev/25ecf3d0ea03
New changeset 29923a9987be by Benjamin Peterson in branch 'default':
merge 3.4 (#19996)
Jason Robinson added the comment:
I took the patches and verified that;
* running the new tests without the changed code in Lib/email/feedparser.py
(head) and Lib/httplib.py, Lib/rfc822.py (2.7) fails both the new tests.
* running the new tests with the changed code passes the tests (on both
brian yardy added the comment:
import http.client
h = http.client.HTTPConnection('http://www.einstantloan.co.uk/')
h.request('GET', '/', headers={'Accept-Encoding': 'gzip'})
r = h.getresponse()
hdrs = r.getheaders()
body = r.read() # Hang here.
curl --compressed
Cory Benfield added the comment:
Is there anything I can do to help move this forward? I appreciate you're all
busy so I'm happy for this to take as long as it takes, I just wanted to make
sure it's not blocked behind me.
--
___
Python tracker
Cory Benfield added the comment:
Ok, here's a patch for 2.7 as well.
I decided to allow the empty header names in rfc822.py as well, if only because
I wanted the changed parsing code to match. If anyone thinks that's an
excessive change, I'll happily remove it.
--
Added file:
Changes by Cory Benfield c...@lukasa.co.uk:
--
components: Library (Lib)
nosy: Lukasa
priority: normal
severity: normal
status: open
title: httplib infinite read on invalid header
type: behavior
versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3
New submission from Cory Benfield:
Initially spotted on Requests GitHub bugtracker:
https://github.com/kennethreitz/requests/issues/1804
On receiving an HTTP response with an invalid header, httplib stops parsing the
headers and attempts to receive the rest of the message as body content.
R. David Murray added the comment:
Well, having it hang forever is a potential DOS attack, so something needs to
be fixed, I think.
--
nosy: +christian.heimes, r.david.murray
___
Python tracker rep...@bugs.python.org
Cory Benfield added the comment:
The easiest way to 'fix' the DoS problem is to throw an exception if an invalid
header is parsed. That's a backwards-compatibility problem though: things that
previously 'worked' now won't. That presumably limits the ability to back-apply
this fix to 2.7.7.
R. David Murray added the comment:
I haven't looked at the code, but could we preserve the existing behavior but
apply a timeout to mitigate the DOS?
On the other hand, the fact that curl manages to return something indicates
there is probably an error recovery strategy that would work. I'm
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:
--
nosy: +Arfrever
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue19996
___
Cory Benfield added the comment:
Maybe. If we do it we have to apply that timeout to all the socket actions on
that HTTP connection. This would have the effect of changing the default value
of the timeout parameter on the HTTPConnection object from
socket._GLOBAL_DEFAULT_TIMEOUT to whatever
Cory Benfield added the comment:
An update: in Python 2.7 through 3.3, fixing this should only affect
http.client/httplib, because they do most of their header parsing themselves.
Fixing this in later versions of Python is more interesting, as http.client got
rewritten to use email.parser
Cory Benfield added the comment:
Actually, that might be OK. I don't know the email package at all, but I
suspect being able to handle empty header keys (by ignoring them) is a
reasonable thing to do in the email case as well. Thoughts?
--
___
Cory Benfield added the comment:
Alright, here's a patch for the current tip. I'll need to prepare a different
patch for earlier versions of Python, which will take me a little while longer
to do (maybe not today). I've also signed a contributor agreement, but it
doesn't look like that's
R. David Murray added the comment:
Heh. A missing header *name* was something I never considered in the email
package tests. So yeah, that's worth handing one way or another. I'll put
reviewing this on my TODO list, since I'm the maintainer of the email package.
I'm updating the versions
16 matches
Mail list logo
