]> git.ipfire.org Git - thirdparty/Python/cpython.git/commit
[3.15] gh-150743: Limit trailer lines and interim responses read by http.client ...
authorMiss Islington (bot) <31488909+miss-islington@users.noreply.github.com>
Sun, 28 Jun 2026 19:35:27 +0000 (21:35 +0200)
committerGitHub <noreply@github.com>
Sun, 28 Jun 2026 19:35:27 +0000 (19:35 +0000)
commitaa06529dfb8ceeeae631cb432fa761d1389eda72
tree55c92eca75a841ff18d58cba442f998f6b5ec790
parent3334842f893f706e93bd386a712f617c3e295da2
[3.15] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741) (#152523)

gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741)

http.client read chunked-response trailer lines and skipped interim (1xx)
responses in unbounded loops, so a server streaming either forever would
hang the client even with a socket timeout set (data keeps arriving, so
the timeout never fires).

Trailer lines are now limited to max_response_headers (100 by default)
and interim responses to 100; HTTPException is raised past either limit.

Follow-up to gh-88188 for CVE-2021-3737, which bounded header lines
within an interim response but not these two sibling loops.
(cherry picked from commit 41cc78a7a47fe584e2c2899737fec877d61ae331)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
---

This issue was reported to us via [GHSA-w4q2-g22w-6fr4](https://github.com/python/cpython/security/advisories/GHSA-w4q2-g22w-6fr4) and was determined not to be high enough severity to handle privately.

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
Doc/library/http.client.rst
Lib/http/client.py
Lib/test/test_httplib.py
Misc/NEWS.d/next/Security/2026-05-30-00-00-00.gh-issue-150743.httpdos.rst [new file with mode: 0644]