Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http.server parses HTTP version numbers too permissively. #103204

Closed
kenballus opened this issue Apr 3, 2023 · 0 comments · Fixed by #103205
Closed

http.server parses HTTP version numbers too permissively. #103204

kenballus opened this issue Apr 3, 2023 · 0 comments · Fixed by #103205
Assignees
@gpshead
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@kenballus
Copy link
Contributor

kenballus commented Apr 3, 2023
edited by bedevere-bot
Loading

http.server parses HTTP version numbers too permissively.

http.server accepts request lines with HTTP version numbers that have '_', '+', and '-'.

Reproduction steps:

(Requires netcat)

python3 -m http.server --bind 127.0.0.1
printf 'GET / HTTP/-9_9_9.+9_9_9\r\n\r\n' | nc 127.0.0.1 8000

Justification

Here are the HTTP-version definitions from each of the three HTTP RFCs:

  • RFC 2616:
HTTP-Version   = "HTTP" "/" 1*DIGIT "." 1*DIGIT
  • RFC 7230:
HTTP-version  = HTTP-name "/" DIGIT "." DIGIT
HTTP-name     = %x48.54.54.50 ; "HTTP", case-sensitive
  • RFC 9112:
HTTP-version  = HTTP-name "/" DIGIT "." DIGIT
HTTP-name     = %s"HTTP"

I understand allowing multiple digits for backwards-compatibility with RFC 2616, but I don't think it makes sense to let the specifics of int leak out into the world. We should at least ensure that only digits are permitted in HTTP version numbers.

My environment

  • CPython 3.12.0a6+
  • Operating system and architecture: Arch Linux on x86_64

Linked PRs
@kenballus kenballus added the type-bug An unexpected behavior, bug, or error label Apr 3, 2023
@kenballus kenballus mentioned this issue Apr 3, 2023
Merged
@arhadthedev arhadthedev added the stdlib Python modules in the Lib dir label Apr 3, 2023
@gpshead gpshead self-assigned this May 12, 2023
@bedevere-bot bedevere-bot mentioned this issue May 12, 2023
Merged
gpshead added a commit that referenced this issue May 12, 2023
@kenballus @arhadthedev @gpshead
gh-103204: http.server - Enforce that HTTP version numbers must con…
cf720ac 
…sist only of digits (#103205)

Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.

---------

Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
miss-islington pushed a commit to miss-islington/cpython that referenced this issue May 12, 2023
@kenballus @arhadthedev
@gpshead @miss-islington
pythongh-103204: http.server - Enforce that HTTP version numbers mu…
6a86d4a 
…st consist only of digits (pythonGH-103205)

Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.

---------

(cherry picked from commit cf720ac)

Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
gpshead added a commit that referenced this issue May 12, 2023
@miss-islington @kenballus
@arhadthedev @gpshead
[3.11] gh-103204: http.server - Enforce that HTTP version numbers m…
b4c1ca2 
…ust consist only of digits (GH-103205) (#104438)

gh-103204: `http.server` - Enforce that HTTP version numbers must consist only of digits (GH-103205)

Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long.

---------

(cherry picked from commit cf720ac)

Co-authored-by: Ben Kallus <49924171+kenballus@users.noreply.github.com>
Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gpshead gpshead

Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

gh-103204: http.server - Enforce that HTTP version numbers must consist only of digits
3 participants
@gpshead @arhadthedev @kenballus