[3.13] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) (GH-142130)

The CGI server on Windows could consume the amount of memory specified in the Content-Length header of the request even if the client does not send such much data. Now it reads the POST request body by chunks, so that the memory consumption is proportional to the amount of sent data. (cherry picked from commit 29c657a1f2) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
2026-01-04 14:32:21 +00:00 · 2025-12-01 15:22:10 +01:00 · 2025-12-01 15:22:10 +01:00 · 6c922bbe28
commit 6c922bbe28
parent 69fbef0d60
3 changed files with 57 additions and 1 deletions
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -802,6 +802,20 @@ def test_path_without_leading_slash(self):
 print("</pre>")
 """

+cgi_file7 = """\
+#!%s
+import os
+import sys
+
+print("Content-type: text/plain")
+print()
+
+content_length = int(os.environ["CONTENT_LENGTH"])
+body = sys.stdin.buffer.read(content_length)
+
+print(f"{content_length} {len(body)}")
+"""
+

@unittest.skipIf(hasattr(os, 'geteuid') and os.geteuid() == 0,
        "This test can't be run reliably as root (issue #13308).")
@ -841,6 +855,8 @@ def setUp(self):
        self.file3_path = None
        self.file4_path = None
        self.file5_path = None
+        self.file6_path = None
+        self.file7_path = None

        # The shebang line should be pure ASCII: use symlink if possible.
        # See issue #7668.
@ -895,6 +911,11 @@ def setUp(self):
            file6.write(cgi_file6 % self.pythonexe)
        os.chmod(self.file6_path, 0o777)

+        self.file7_path = os.path.join(self.cgi_dir, 'file7.py')
+        with open(self.file7_path, 'w', encoding='utf-8') as file7:
+            file7.write(cgi_file7 % self.pythonexe)
+        os.chmod(self.file7_path, 0o777)
+
        os.chdir(self.parent_dir)

    def tearDown(self):
@ -917,6 +938,8 @@ def tearDown(self):
                os.remove(self.file5_path)
            if self.file6_path:
                os.remove(self.file6_path)
+            if self.file7_path:
+                os.remove(self.file7_path)
            os.rmdir(self.cgi_child_dir)
            os.rmdir(self.cgi_dir)
            os.rmdir(self.cgi_dir_in_sub_dir)
@ -989,6 +1012,21 @@ def test_post(self):

        self.assertEqual(res.read(), b'1, python, 123456' + self.linesep)

+    def test_large_content_length(self):
+        for w in range(15, 25):
+            size = 1 << w
+            body = b'X' * size
+            headers = {'Content-Length' : str(size)}
+            res = self.request('/cgi-bin/file7.py', 'POST', body, headers)
+            self.assertEqual(res.read(), b'%d %d' % (size, size) + self.linesep)
+
+    def test_large_content_length_truncated(self):
+        for w in range(18, 65):
+            size = 1 << w
+            headers = {'Content-Length' : str(size)}
+            res = self.request('/cgi-bin/file1.py', 'POST', b'x', headers)
+            self.assertEqual(res.read(), b'Hello World' + self.linesep)
+
    def test_invaliduri(self):
        res = self.request('/cgi-bin/invalid')
        res.read()