diff options
author | Robert Brewer <fumanchu@aminus.org> | 2006-12-28 20:09:37 +0000 |
---|---|---|
committer | Robert Brewer <fumanchu@aminus.org> | 2006-12-28 20:09:37 +0000 |
commit | 66befe917c1158ce2a4a48f5372cba52535ffe96 (patch) | |
tree | 1cf364f129f524a64949fd0d2d03a31a7acc68fb | |
parent | 61b92a3a2632b3052201525cebd725d5d3663290 (diff) | |
download | cherrypy-66befe917c1158ce2a4a48f5372cba52535ffe96.tar.gz |
2.x backport of [1538] and [1549] (Fix for leading CRLF in request).
-rw-r--r-- | cherrypy/_cpwsgiserver.py | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/cherrypy/_cpwsgiserver.py b/cherrypy/_cpwsgiserver.py index 4a32e53a..52b7f2ba 100644 --- a/cherrypy/_cpwsgiserver.py +++ b/cherrypy/_cpwsgiserver.py @@ -68,6 +68,16 @@ class HTTPRequest(object): self.ready = False return + if request_line == "\r\n": + # RFC 2616 sec 4.1: "...if the server is reading the protocol + # stream at the beginning of a message and receives a CRLF + # first, it should ignore the CRLF." + # But only ignore one leading line! else we enable a DoS. + request_line = self.rfile.readline() + if not request_line: + self.ready = False + return + method, path, req_protocol = request_line.strip().split(" ", 2) self.environ["REQUEST_METHOD"] = method |