commit 60ba0b68470a584103e28958d91e93a6db37ec92
author Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Wed May 05 16:14:28 2021 -0700
committer GitHub <noreply@github.com> Wed May 05 16:14:28 2021 -0700
tree 45a48643d20bec4f6c2eebc109bb273b1ca525a9
parent 24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705

bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916) (GH-25931)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e31b6f626bc6ce47d175fe9d43c1098909d)

Co-authored-by: Gen Xu <xgbarry@gmail.com>

Lib/test/test_httplib.py

diff --git a/Lib/test/test_httplib.py b/Lib/test/test_httplib.py
index db41e29..e927256 100644
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@@ -1180,6 +1180,14 @@ def test_overflowing_header_line(self):
         resp = client.HTTPResponse(FakeSocket(body))
         self.assertRaises(client.LineTooLong, resp.begin)
 
+    def test_overflowing_header_limit_after_100(self):
+        body = (
+            'HTTP/1.1 100 OK\r\n'
+            'r\n' * 32768
+        )
+        resp = client.HTTPResponse(FakeSocket(body))
+        self.assertRaises(client.HTTPException, resp.begin)
+
     def test_overflowing_chunked_line(self):
         body = (
             'HTTP/1.1 200 OK\r\n'
@@ -1581,7 +1589,7 @@ def readline(self, limit):
 class OfflineTest(TestCase):
     def test_all(self):
         # Documented objects defined in the module should be in __all__
-        expected = {"responses"}  # White-list documented dict() object
+        expected = {"responses"}  # Allowlist documented dict() object
         # HTTPMessage, parse_headers(), and the HTTP status code constants are
         # intentionally omitted for simplicity
         denylist = {"HTTPMessage", "parse_headers"}