2.x backport of [1538] and [1549] (Fix for leading CRLF in request).

author: Robert Brewer <fumanchu@aminus.org> 2006-12-28 20:09:37 +0000
committer: Robert Brewer <fumanchu@aminus.org> 2006-12-28 20:09:37 +0000
commit: 66befe917c1158ce2a4a48f5372cba52535ffe96 (patch)
tree: 1cf364f129f524a64949fd0d2d03a31a7acc68fb
parent: 61b92a3a2632b3052201525cebd725d5d3663290 (diff)
download: cherrypy-66befe917c1158ce2a4a48f5372cba52535ffe96.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/cherrypy/_cpwsgiserver.py b/cherrypy/_cpwsgiserver.py
index 4a32e53a..52b7f2ba 100644
--- a/cherrypy/_cpwsgiserver.py
+++ b/cherrypy/_cpwsgiserver.py
@@ -68,6 +68,16 @@ class HTTPRequest(object):
             self.ready = False
             return
         
+        if request_line == "\r\n":
+            # RFC 2616 sec 4.1: "...if the server is reading the protocol
+            # stream at the beginning of a message and receives a CRLF
+            # first, it should ignore the CRLF."
+            # But only ignore one leading line! else we enable a DoS.
+            request_line = self.rfile.readline()
+            if not request_line:
+                self.ready = False
+                return
+        
         method, path, req_protocol = request_line.strip().split(" ", 2)
         self.environ["REQUEST_METHOD"] = method
author	Robert Brewer <fumanchu@aminus.org>	2006-12-28 20:09:37 +0000
committer	Robert Brewer <fumanchu@aminus.org>	2006-12-28 20:09:37 +0000
commit	66befe917c1158ce2a4a48f5372cba52535ffe96 (patch)
tree	1cf364f129f524a64949fd0d2d03a31a7acc68fb
parent	61b92a3a2632b3052201525cebd725d5d3663290 (diff)
download	cherrypy-66befe917c1158ce2a4a48f5372cba52535ffe96.tar.gz