bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 100 Continue (GH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response. Co-authored-by: Gregory P. Smith <greg@krypto.org> (cherry picked from commit 47895e31b6) Co-authored-by: Gen Xu <xgbarry@gmail.com>
2025-11-11 02:52:04 +00:00 · 2021-05-05 16:05:52 -07:00 · 2021-05-05 16:05:52 -07:00 · ea93270366
commit ea93270366
parent bc8b93c9a9
3 changed files with 32 additions and 18 deletions
--- a/Lib/test/test_httplib.py
+++ b/Lib/test/test_httplib.py
@ -1005,6 +1005,14 @@ def test_overflowing_header_line(self):
        resp = client.HTTPResponse(FakeSocket(body))
        self.assertRaises(client.LineTooLong, resp.begin)

+    def test_overflowing_header_limit_after_100(self):
+        body = (
+            'HTTP/1.1 100 OK\r\n'
+            'r\n' * 32768
+        )
+        resp = client.HTTPResponse(FakeSocket(body))
+        self.assertRaises(client.HTTPException, resp.begin)
+
    def test_overflowing_chunked_line(self):
        body = (
            'HTTP/1.1 200 OK\r\n'
@ -1406,7 +1414,7 @@ def readline(self, limit):
 class OfflineTest(TestCase):
    def test_all(self):
        # Documented objects defined in the module should be in __all__
-        expected = {"responses"}  # White-list documented dict() object
+        expected = {"responses"}  # Allowlist documented dict() object
        # HTTPMessage, parse_headers(), and the HTTP status code constants are
        # intentionally omitted for simplicity
        blacklist = {"HTTPMessage", "parse_headers"}