python/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch

--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -449,6 +449,7 @@ class HTTPResponse:
             if status != CONTINUE:
                 break
             # skip the header from the 100 response
+            header_count = 0
             while True:
                 skip = self.fp.readline(_MAXLINE + 1)
                 if len(skip) > _MAXLINE:
@@ -458,6 +459,10 @@ class HTTPResponse:
                     break
                 if self.debuglevel > 0:
                     print "header:", skip
+                # bpo-44022: Fix http client infinite line reading (DoS) after a http 100
+                header_count += 1
+                if header_count > _MAXHEADERS:
+                    raise HTTPException("got more than %d headers" % _MAXHEADERS)
 
         self.status = status
         self.reason = reason.strip()
Accepting request 911127 from home:fusionfuture:branches:devel:languages:python:Factory - Add bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch which fixes http client infinite line reading (DoS) after a http 100 (bpo#44022, boo#1189241). OBS-URL: https://build.opensuse.org/request/show/911127 OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=296 2021-08-10 06:45:07 +02:00			`--- a/Lib/httplib.py`
			`+++ b/Lib/httplib.py`
			`@@ -449,6 +449,7 @@ class HTTPResponse:`
			`if status != CONTINUE:`
			`break`
			`# skip the header from the 100 response`
			`+ header_count = 0`
			`while True:`
			`skip = self.fp.readline(_MAXLINE + 1)`
			`if len(skip) > _MAXLINE:`
			`@@ -458,6 +459,10 @@ class HTTPResponse:`
			`break`
			`if self.debuglevel > 0:`
			`print "header:", skip`
			`+ # bpo-44022: Fix http client infinite line reading (DoS) after a http 100`
			`+ header_count += 1`
			`+ if header_count > _MAXHEADERS:`
			`+ raise HTTPException("got more than %d headers" % _MAXHEADERS)`

			`self.status = status`
			`self.reason = reason.strip()`