bpo-44022: Fix http client infinite line reading (DoS) after a http 100 #25916
Conversation
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA). Recognized GitHub usernameWe couldn't find a bugs.python.org (b.p.o) account corresponding to the following GitHub usernames: This might be simply due to a missing "GitHub Name" entry in one's b.p.o account settings. This is necessary for legal reasons before we can look at this contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. CLA MissingOur records indicate the following people have not signed the CLA: For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. If you have recently signed the CLA, please wait at least one business day You can check yourself to see if the CLA has been received. Thanks again for the contribution, we look forward to reviewing it! |
gen-xu
changed the title
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
gpshead
added
needs backport to 3.9
gpshead
changed the title
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @gpshead: please review the changes made to this pull request. |
|
GH-25931 is a backport of this pull request to the 3.10 branch. |
|
GH-25932 is a backport of this pull request to the 3.9 branch. |
…00 Continue (pythonGH-25916) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
GH-25933 is a backport of this pull request to the 3.8 branch. |
…00 Continue (pythonGH-25916) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
GH-25934 is a backport of this pull request to the 3.7 branch. |
…00 Continue (pythonGH-25916) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
|
GH-25935 is a backport of this pull request to the 3.6 branch. |
…00 Continue (GH-25916) (GH-25931) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
…00 Continue (GH-25916) (#25933) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
…00 Continue (GH-25916) (GH-25935) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
…00 Continue (GH-25916) (GH-25934) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e3) Co-authored-by: Gen Xu <xgbarry@gmail.com>
… a HTTP 100 Continue (pythonGH-25916) Backport the fix from the following commit: commit 47895e3 Author: Gen Xu <xgbarry@gmail.com> Date: 2021-05-06 00:42:41 +0200 bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (pythonGH-25916) Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> Instead of reusing the header reading code, I have just added explicit counter to avoid having to refactor the old code. Plus the improved test from: commit e60ab84 Author: Gregory P. Smith <greg@krypto.org> Date: 2021-06-03 05:43:38 +0200 bpo-44022: Improve the regression test. (pythonGH-26503) It wasn't actually detecting the regression due to the assertion being too lenient.
|
Can you apply for a CVE? I think this bug is still a little serious. |
|
Redhat issues CVEs for CPython (though I don't think this is actually documented anywhere. They've assigned CVE-2021-3737. |
https://bugs.python.org/issue44022