mirror of
https://github.com/python/cpython.git
synced 2026-06-29 04:10:54 +00:00
41cc78a7a4
http.client read chunked-response trailer lines and skipped interim (1xx) responses in unbounded loops, so a server streaming either forever would hang the client even with a socket timeout set (data keeps arriving, so the timeout never fires). Trailer lines are now limited to max_response_headers (100 by default) and interim responses to 100; HTTPException is raised past either limit. Follow-up to gh-88188 for CVE-2021-3737, which bounded header lines within an interim response but not these two sibling loops. --- This issue was reported to us via [GHSA-w4q2-g22w-6fr4](https://github.com/python/cpython/security/advisories/GHSA-w4q2-g22w-6fr4) and was determined not to be high enough severity to handle privately. |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| client.py | ||
| cookiejar.py | ||
| cookies.py | ||
| server.py | ||