Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
gh-103204:http.server - Enforce that HTTP version numbers must consist only of digits#103205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
gh-103204:http.server - Enforce that HTTP version numbers must consist only of digits#103205
Uh oh!
There was an error while loading.Please reload this page.
Conversation
http.server - Enforce that HTTP version numbers must consist only of digitsJelleZijlstra commentedApr 3, 2023
Could you add a unit test? |
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
arhadthedev commentedMay 12, 2023
@gpshead (as a more-than-twice committer into |
gpshead commentedMay 12, 2023
From a protocol standpoint this PR is pedantically correct, we shouldn't have accepted other values. Not that anyone is ever going to send them. I've also added to this PR a length constraint on the values accepted for good measure. |
JelleZijlstra commentedMay 12, 2023
|
miss-islington commentedMay 12, 2023
Thanks@kenballus for the PR, and@gpshead for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11. |
bedevere-bot commentedMay 12, 2023
GH-104438 is a backport of this pull request to the3.11 branch. |
…st consist only of digits (pythonGH-103205)Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.---------(cherry picked from commitcf720ac)Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>Co-authored-by: Gregory P. Smith <greg@krypto.org>
…ust consist only of digits (GH-103205) (#104438)gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (GH-103205)Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.---------(cherry picked from commitcf720ac)Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>Co-authored-by: Gregory P. Smith <greg@krypto.org>
Uh oh!
There was an error while loading.Please reload this page.
gh-103204: Enforce that HTTP version numbers must consist only of digits
Currently,
http.serveraccepts requests with version numbers preceded with'+'or'-', as well as those with'_'between digits. I am not aware of any other HTTP server that accepts such requests. This PR makes it reject those requests.Fixes#103204.