Skip to content

/ cpython

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-44022: Fix http client infinite line reading (DoS) after a http 100 #25916

Merged
merged 7 commits into from May 5, 2021
Merged

bpo-44022: Fix http client infinite line reading (DoS) after a http 100 #25916

merged 7 commits into from May 5, 2021

Conversation

@gen-xu
Copy link
Contributor

@gen-xu gen-xu commented May 5, 2021
edited

https://bugs.python.org/issue44022
@the-knights-who-say-ni
Copy link

@the-knights-who-say-ni the-knights-who-say-ni commented May 5, 2021

Hello, and thanks for your contribution!

I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA).

Recognized GitHub username

We couldn't find a bugs.python.org (b.p.o) account corresponding to the following GitHub usernames:

@gen-nimble

This might be simply due to a missing "GitHub Name" entry in one's b.p.o account settings. This is necessary for legal reasons before we can look at this contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

CLA Missing

Our records indicate the following people have not signed the CLA:

@gen-xu

For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue.

If you have recently signed the CLA, please wait at least one business day
before our records are updated.

You can check yourself to see if the CLA has been received.

Thanks again for the contribution, we look forward to reviewing it!
@gen-xu
bpo-44022: Fix httplib client deny of service with total header size …
Loading status checks…
e53f243 
…check after 100
@gen-xu gen-xu force-pushed the gen-xu:fix-issue-44022 branch from cc46630 to e53f243 May 5, 2021
@blurb-it
📜🤖 Added by blurb_it.
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
55206e1
@gen-xu gen-xu changed the title bpo-44022: Fix httplib client deny of service with total header size check after 100. bpo-44022: Fix httplib client deny of service with total header size check after http 100. May 5, 2021
@gpshead
gpshead requested changes May 5, 2021
View changes
Lib/http/client.py Outdated Show resolved Hide resolved
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.
@gpshead gpshead changed the title bpo-44022: Fix httplib client deny of service with total header size check after http 100. bpo-44022: Fix http client infinite line reading (DoS) after a http 100 May 5, 2021
@gpshead gpshead self-assigned this May 5, 2021
gen-xu added 2 commits May 5, 2021
@gen-xu
Using provided header reads function to skip.
d1ac02b
@gen-xu
Fix test_all.
Loading status checks…
362c50d
@gen-xu
Copy link
Contributor Author

@gen-xu gen-xu commented May 5, 2021

I have made the requested changes; please review again
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

Thanks for making the requested changes!

@gpshead: please review the changes made to this pull request.
@bedevere-bot bedevere-bot requested a review from gpshead May 5, 2021
gpshead added 3 commits May 5, 2021
@gpshead
renamed the new function to _read_headers to keep it private.
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
17941e8
@gpshead
no need to exclude read_headers in test_all now.
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
5ce1a31
@gpshead
reword and add ReST formatting.
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
859cd6e
@gpshead
gpshead approved these changes May 5, 2021
View changes
Copy link
Member

@gpshead gpshead left a comment

I made a few minor edit updates to the PR. Now we wait for the CI testing runs to finish. :)
@gpshead gpshead merged commit 47895e3 into python:main May 5, 2021
12 checks passed
12 checks passed
@github-actions
Docs
Details
@github-actions
Check for source changes
Details
@github-actions
Check if generated files are up to date
Details
@github-actions
Windows (x86)
Details
@github-actions
Windows (x64)
Details
@github-actions
macOS
Details
@github-actions
Ubuntu
Details
@github-actions
Ubuntu SSL tests with OpenSSL
Details
Azure Pipelines PR #20210505.45 succeeded
Details
@travis-ci
Travis CI - Pull Request Build Passed
Details
@bedevere-bot
bedevere/issue-number Issue number 44022 found
Details
@bedevere-bot
bedevere/news News entry found in Misc/NEWS.d
@miss-islington
Copy link
Contributor

@miss-islington miss-islington commented May 5, 2021

Thanks @gen-xu for the PR, and @gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10, 3.6, 3.7, 3.8, 3.9.
🐍🍒🤖
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

GH-25931 is a backport of this pull request to the 3.10 branch.
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

GH-25932 is a backport of this pull request to the 3.9 branch.
miss-islington added a commit to miss-islington/cpython that referenced this pull request May 5, 2021
@gen-xu @miss-islington
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
96a983c 
…00 Continue (pythonGH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

GH-25933 is a backport of this pull request to the 3.8 branch.
miss-islington added a commit to miss-islington/cpython that referenced this pull request May 5, 2021
@gen-xu @miss-islington
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
e75b6a2 
…00 Continue (pythonGH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

GH-25934 is a backport of this pull request to the 3.7 branch.
miss-islington added a commit to miss-islington/cpython that referenced this pull request May 5, 2021
@gen-xu @miss-islington
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
f7fb35b 
…00 Continue (pythonGH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
@bedevere-bot
Copy link

@bedevere-bot bedevere-bot commented May 5, 2021

GH-25935 is a backport of this pull request to the 3.6 branch.
miss-islington added a commit that referenced this pull request May 5, 2021
@miss-islington @gen-xu
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
ea93270 
…00 Continue (GH-25916)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
gpshead pushed a commit that referenced this pull request May 5, 2021
@miss-islington @gen-xu
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
60ba0b6 
…00 Continue (GH-25916) (GH-25931)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
ambv pushed a commit that referenced this pull request May 6, 2021
@miss-islington @gen-xu
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
f396864 
…00 Continue (GH-25916) (#25933)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
ned-deily pushed a commit that referenced this pull request May 6, 2021
@miss-islington @gen-xu
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
f68d2d6 
…00 Continue (GH-25916) (GH-25935)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
ned-deily pushed a commit that referenced this pull request May 6, 2021
@miss-islington @gen-xu
bpo-44022: Fix http client infinite line reading (DoS) after a HTTP 1…
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23 Learn about vigilant mode.
Loading status checks…
078b146 
…00 Continue (GH-25916) (GH-25934)

Fixes http.client potential denial of service where it could get stuck reading lines from a malicious server after a 100 Continue response.

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 47895e3)

Co-authored-by: Gen Xu <xgbarry@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead

Assignees

@gpshead gpshead

Labels
CLA signed type-bugfix
Projects
None yet
Milestone
No milestone
5 participants
@gen-xu @the-knights-who-say-ni @bedevere-bot @miss-islington @gpshead