diff options
author | Bert JW Regeer <bertjw@regeer.org> | 2019-12-12 18:19:40 -0800 |
---|---|---|
committer | Bert JW Regeer <bertjw@regeer.org> | 2019-12-19 15:59:58 +0100 |
commit | 575994cd42e83fd772a5f7ec98b2c56751bd3f65 (patch) | |
tree | 4378d7cb76c1985641a52d1f4fa599d3677abf89 | |
parent | 804e3133a54088fc879c5e791bbe14bb8eb625f9 (diff) | |
download | waitress-575994cd42e83fd772a5f7ec98b2c56751bd3f65.tar.gz |
Upon receiving invalid Content-Length bail
Instead of attempting to continue processing the request, we instead
raise a ParsingError and return a HTTP Bad Request to the client.
This also catches the case where two Content-Length's are sent, and are
folded together using HTTP header folding.
-rw-r--r-- | waitress/parser.py | 3 | ||||
-rw-r--r-- | waitress/tests/test_parser.py | 23 |
2 files changed, 23 insertions, 3 deletions
diff --git a/waitress/parser.py b/waitress/parser.py index e2970cb..c537964 100644 --- a/waitress/parser.py +++ b/waitress/parser.py @@ -254,7 +254,8 @@ class HTTPRequestParser(object): try: cl = int(headers.get("CONTENT_LENGTH", 0)) except ValueError: - cl = 0 + raise ParsingError("Content-Length is invalid") + self.content_length = cl if cl > 0: buf = OverflowableBuffer(self.adj.inbuf_overflow) diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py index 463e0b2..aa01d9d 100644 --- a/waitress/tests/test_parser.py +++ b/waitress/tests/test_parser.py @@ -167,9 +167,28 @@ class TestHTTPRequestParser(unittest.TestCase): self.assertTrue(False) def test_parse_header_bad_content_length(self): + from waitress.parser import ParsingError + data = b"GET /foobar HTTP/8.4\r\ncontent-length: abc\r\n" - self.parser.parse_header(data) - self.assertEqual(self.parser.body_rcv, None) + + try: + self.parser.parse_header(data) + except ParsingError as e: + self.assertIn("Content-Length is invalid", e.args[0]) + else: # pragma: nocover + self.assertTrue(False) + + def test_parse_header_multiple_content_length(self): + from waitress.parser import ParsingError + + data = b"GET /foobar HTTP/8.4\r\ncontent-length: 10\r\ncontent-length: 20\r\n" + + try: + self.parser.parse_header(data) + except ParsingError as e: + self.assertIn("Content-Length is invalid", e.args[0]) + else: # pragma: nocover + self.assertTrue(False) def test_parse_header_11_te_chunked(self): # NB: test that capitalization of header value is unimportant |