pool/python
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
python/CVE-2021-3737-fix-HTTP-client-infinite-line-reading-after-a-HTTP-100-Continue.patch

27 lines
1.1 KiB
Diff
Raw Normal View History

- Add CVE-2024-6232-ReDOS-backtrack-tarfile.patch prevent ReDos via excessive backtracking while parsing header values (bsc#1230227, CVE-2024-6232). OBS-URL: https://build.opensuse.org/package/show/devel:languages:python:Factory/python?expand=0&rev=425
2024-09-20 21:00:23 +00:00
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -449,6 +449,7 @@ class HTTPResponse:
if status != CONTINUE:
break
# skip the header from the 100 response
+ header_count = 0
while True:
skip = self.fp.readline(_MAXLINE + 1)
if len(skip) > _MAXLINE:
@@ -458,6 +459,10 @@ class HTTPResponse:
break
if self.debuglevel > 0:
print "header:", skip
+ # CVE-2021-3737: Fix infinitely reading potential HTTP headers on a 100 Continue status response from the server
+ header_count += 1
+ if header_count > _MAXHEADERS:
+ raise HTTPException("got more than %d headers" % _MAXHEADERS)
self.status = status
self.reason = reason.strip()
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2021-05-05-17-37-04.bpo-44022.bS3XJ9.rst
@@ -0,0 +1,2 @@
+mod:`http.client` now avoids infinitely reading potential HTTP headers after a
+``100 Continue`` status response from the server.
Reference in New Issue Copy Permalink