New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Non-int Content-Length raises ValueError and returns 408 error #100

Closed
Dobatymo opened this Issue Jun 13, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@Dobatymo

Dobatymo commented Jun 13, 2018

I'm submitting a ...

  • bug report
  • feature request
  • question about the decisions made in the repository

Describe the bug. What is the current behavior?
If the Content-Length header has a value which cannot be converted to string a ValueError is raised which is not handled explicitly. A 408 Request Timeout is returned.

What is the motivation / use case for changing the behavior?
My logs are littered with entries like

[13/Jun/2018:00:28:17] ENGINE ValueError("invalid literal for int() with base 10: b'<script>alert(Content-Length)</script>'",)
Traceback (most recent call last):
  File "C:\Program Files\Python35\lib\site-packages\cheroot\server.py", line 1152, in communicate
    req.respond()
  File "C:\Program Files\Python35\lib\site-packages\cheroot\server.py", line 964, in respond
    cl = int(self.inheaders.get(b'Content-Length', 0))
ValueError: invalid literal for int() with base 10: b'<script>alert(Content-Length)</script>'

To Reproduce
Simply send a http request with a non-int content-length header.

>>> import requests
>>> requests.get("https://cheroot.example", headers={"Content-Length":"asd"})
<Response [408]>

Expected behavior
Explicitly handle that case and return 'Bad Request' or whatever the correct status code for this situation is.

Environment

  • Cheroot version: 6.0.0
  • CherryPy version: 14.0.1
  • Python version: 3.5.4
  • OS: Windows
  • Browser: all

I know I am not using the latest version, but the code looks like it should still give the same error.

nosmokingbandit added a commit to nosmokingbandit/cheroot that referenced this issue Jun 13, 2018

Fix cherrypy#100 Non-int content-length header
Use try/except to catch ValueError when converting content-length to int. Responds to client with 400 error rather than 500 error.

@nosmokingbandit nosmokingbandit referenced this issue Jun 13, 2018

Merged

Fix #100 Non-int content-length header #101

10 of 15 tasks complete
@nosmokingbandit

This comment has been minimized.

Contributor

nosmokingbandit commented Jun 13, 2018

On the current release Cheroot returns a 500 error, which is even less descriptive. I've submitted a PR that addresses this.

webknjaz added a commit that referenced this issue Jun 15, 2018

Respond with HTTP 400 to malicious Content-Length
Fixes #100

Co-authored-by: Steven <nosmokingbandit@gmail.com>
Co-authored-by: Sviatoslav Sydorenko <wk@sydorenko.org.ua>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment