Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

gh-119451: Fix OOM vulnerability in http.client #119454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
Loading
from
+82 −3
Draft

gh-119451: Fix OOM vulnerability in http.client #119454

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
25166b1
gh-119451: Fix OOM vulnerability in http.client
serhiy-storchaka May 23, 2024
f097fad
Add also test for non-truncated large body.
serhiy-storchaka May 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 13 additions & 3 deletions 16 Lib/http/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,11 @@
_MAXLINE = 65536
_MAXHEADERS = 100

# Data larger than this will be read in chunks, to prevent extreme
# overallocation.
_SAFE_BUF_SIZE = 1 << 20


# Header name/value ABNF (http://tools.ietf.org/html/rfc7230#section-3.2)
#
# VCHAR = %x21-7E
Expand Down Expand Up @@ -637,9 +642,14 @@ def _safe_read(self, amt):
reading. If the bytes are truly not available (due to EOF), then the
IncompleteRead exception can be used to detect the problem.
"""
data = self.fp.read(amt)
if len(data) < amt:
raise IncompleteRead(data, amt-len(data))
cursize = min(amt, _SAFE_BUF_SIZE)
data = self.fp.read(cursize)
while len(data) < amt:
if len(data) < cursize:
raise IncompleteRead(data, amt-len(data))
delta = min(cursize, amt - cursize)
data += self.fp.read(cursize)
cursize += delta
return data

def _safe_readinto(self, b):
Expand Down
66 changes: 66 additions & 0 deletions 66 Lib/test/test_httplib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1436,6 +1436,72 @@ def run_server():
thread.join()
self.assertEqual(result, b"proxied data\n")

def test_large_content_length(self):
serv = socket.create_server((HOST, 0))
self.addCleanup(serv.close)

def run_server():
[conn, address] = serv.accept()
with conn:
while conn.recv(1024):
conn.sendall(
b"HTTP/1.1 200 Ok\r\n"
b"Content-Length: %d\r\n"
b"\r\n" % size)
conn.sendall(b'A' * (size//3))
conn.sendall(b'B' * (size - size//3))

thread = threading.Thread(target=run_server)
thread.start()
self.addCleanup(thread.join, 1.0)

conn = client.HTTPConnection(*serv.getsockname())
try:
for w in range(15, 27):
size = 1 << w
conn.request("GET", "/")
with conn.getresponse() as response:
self.assertEqual(len(response.read()), size)
finally:
conn.close()
thread.join(1.0)

def test_large_content_length_truncated(self):
serv = socket.create_server((HOST, 0))
self.addCleanup(serv.close)

def run_server():
while True:
[conn, address] = serv.accept()
with conn:
conn.recv(1024)
if not size:
break
conn.sendall(
b"HTTP/1.1 200 Ok\r\n"
b"Content-Length: %d\r\n"
b"\r\n"
b"Text" % size)

thread = threading.Thread(target=run_server)
thread.start()
self.addCleanup(thread.join, 1.0)

conn = client.HTTPConnection(*serv.getsockname())
try:
for w in range(18, 65):
size = 1 << w
conn.request("GET", "/")
with conn.getresponse() as response:
self.assertRaises(client.IncompleteRead, response.read)
conn.close()
finally:
conn.close()
size = 0
conn.request("GET", "/")
conn.close()
thread.join(1.0)

def test_putrequest_override_domain_validation(self):
"""
It should be possible to override the default validation
Expand Down
3 changes: 3 additions & 0 deletions 3 Misc/NEWS.d/next/Security/2024-05-23-11-47-48.gh-issue-119451.qkJe9-.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
Fix OOM vulnerability in :mod:`http.client`, when reading the whole body of
a specially prepared small HTTP response could cause consuming an arbitrary
amount of memory.
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.