[3.14] gh-150743: Limit trailer lines and interim responses read by http.client#150749
Draft
gpshead wants to merge 2 commits into
Draft
[3.14] gh-150743: Limit trailer lines and interim responses read by http.client#150749gpshead wants to merge 2 commits into
gpshead wants to merge 2 commits into
Conversation
A server could stream syntactically valid trailer lines forever after the final chunk of a chunked response, so reading the response would never return. Socket timeouts cannot interrupt this because data keeps arriving within every timeout window. Trailer lines are now counted against the same limit as response headers (100 by default) and HTTPException is raised when the limit is exceeded. (cherry picked from commit 752bef5047e54e21af0e48a339b54fbae2a6c831)
HTTPResponse.begin() skipped 100 Continue responses in an unbounded loop, so a server streaming them forever would hang getresponse() regardless of any socket timeout. At most 100 interim responses are now skipped before HTTPException is raised. (cherry picked from commit 508e86d8811e8e17350bf2c6fb23d3bb2d3ff795)
gpshead
added
type-security
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
http.client read chunked-response trailer lines and skipped interim (1xx)
responses in unbounded loops, so a server streaming either forever would
hang the client even with a socket timeout set (data keeps arriving, so
the timeout never fires).
Trailer lines are now limited to max_response_headers (100 by default)
and interim responses to 100; HTTPException is raised past either limit.
Follow-up to gh-88188 for CVE-2021-3737, which bounded header lines
within an interim response but not these two sibling loops.
This issue was reported to us via GHSA-w4q2-g22w-6fr4