cpython/Lib/http
Miss Islington (bot) aa06529dfb
[3.15] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741) (#152523)
gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741)

http.client read chunked-response trailer lines and skipped interim (1xx)
responses in unbounded loops, so a server streaming either forever would
hang the client even with a socket timeout set (data keeps arriving, so
the timeout never fires).

Trailer lines are now limited to max_response_headers (100 by default)
and interim responses to 100; HTTPException is raised past either limit.

Follow-up to gh-88188 for CVE-2021-3737, which bounded header lines
within an interim response but not these two sibling loops.
(cherry picked from commit 41cc78a7a4)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>

---

This issue was reported to us via [GHSA-w4q2-g22w-6fr4](https://github.com/python/cpython/security/advisories/GHSA-w4q2-g22w-6fr4) and was determined not to be high enough severity to handle privately.

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
2026-06-28 19:35:27 +00:00
..
__init__.py gh-129408: http: Fix typo 'RFF' to RFC' in documentation (#129411) 2025-01-28 13:25:51 -05:00
client.py [3.15] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741) (#152523) 2026-06-28 19:35:27 +00:00
cookiejar.py gh-135528: Support more second-level domain names in http.cookiejar (#135820) 2026-04-29 11:33:51 +00:00
cookies.py [3.15] gh-149144: Use decodeURIComponent() for UTF-8 support in js_output() (GH-149157) (GH-149846) 2026-05-15 00:38:11 +02:00
server.py gh-142389: Add backticks to stdlib argparse help to display in colour (#149384) 2026-05-04 22:23:18 +00:00