Issue #10714: Limit length of incoming request in http.server to 65536 bytes
for security reasons. Initial patch by Ross Lagerwall.
diff --git a/Lib/http/server.py b/Lib/http/server.py
index 2140710..f1538f4 100644
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -358,7 +358,13 @@
"""
try:
- self.raw_requestline = self.rfile.readline()
+ self.raw_requestline = self.rfile.readline(65537)
+ if len(self.raw_requestline) > 65536:
+ self.requestline = ''
+ self.request_version = ''
+ self.command = ''
+ self.send_error(414)
+ return
if not self.raw_requestline:
self.close_connection = 1
return
diff --git a/Lib/test/test_httpservers.py b/Lib/test/test_httpservers.py
index b03637c..85b5ec4 100644
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -566,6 +566,12 @@
self.assertEqual(sum(r == b'Connection: close\r\n' for r in result[1:-1]), 1)
self.handler = usual_handler # Restore to avoid breaking any subsequent tests.
+ def test_request_length(self):
+ # Issue #10714: huge request lines are discarded, to avoid Denial
+ # of Service attacks.
+ result = self.send_typical_request(b'GET ' + b'x' * 65537)
+ self.assertEqual(result[0], b'HTTP/1.1 414 Request-URI Too Long\r\n')
+ self.assertFalse(self.handler.get_called)
class SimpleHTTPRequestHandlerTestCase(unittest.TestCase):
""" Test url parsing """