http.server parses HTTP version numbers too permissively.

http.server accepts request lines with HTTP version numbers that have'_','+', and'-'.

Reproduction steps:

(Requires netcat)

python3 -m http.server --bind 127.0.0.1printf'GET / HTTP/-9_9_9.+9_9_9\r\n\r\n'| nc 127.0.0.1 8000

Justification

Here are theHTTP-version definitions from each of the three HTTP RFCs:

• RFC 2616:

HTTP-Version   = "HTTP" "/" 1*DIGIT "." 1*DIGIT

• RFC 7230:

HTTP-version  = HTTP-name "/" DIGIT "." DIGITHTTP-name     = %x48.54.54.50 ; "HTTP", case-sensitive

• RFC 9112:

HTTP-version  = HTTP-name "/" DIGIT "." DIGITHTTP-name     = %s"HTTP"

I understand allowing multiple digits for backwards-compatibility with RFC 2616, but I don't think it makes sense to let the specifics ofint leak out into the world. We should at least ensure that only digits are permitted in HTTP version numbers.

My environment

• CPython 3.12.0a6+
• Operating system and architecture: Arch Linux on x86_64

Linked PRs

• gh-103204:http.server - Enforce that HTTP version numbers must consist only of digits #103205
• [3.11] gh-103204:http.server - Enforce that HTTP version numbers must consist only of digits (GH-103205) #104438