[3.13] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150749) (#152526)
http.client read chunked-response trailer lines and skipped interim (1xx)
responses in unbounded loops, so a server streaming either forever would
hang the client even with a socket timeout set (data keeps arriving, so
the timeout never fires).
Trailer lines are now limited to max_response_headers (100 by default)
and interim responses to 100; HTTPException is raised past either limit.
Follow-up to gh-88188 for CVE-2021-3737, which bounded header lines
within an interim response but not these two sibling loops.
(cherry picked from commit
84badb77f5bb26e51d9a5c478d0e3bfe7ab6eb6f)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
---
This issue was reported to us via [GHSA-w4q2-g22w-6fr4](https://github.com/python/cpython/security/advisories/GHSA-w4q2-g22w-6fr4)
Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>
projects / thirdparty / Python / cpython.git / commit
