Issue #16037: Limit httplib's _read_status() function to work around broken

HTTP servers and reduce memory usage. It's actually a backport of a Python
3.2 fix. Thanks to Adrien Kunysz.

diff --git a/Lib/httplib.py b/Lib/httplib.py
index 98296dc3c52285b7fbf66833af852dd7bd88f001..4c8b0fe2091a88f49457c8878c7c279a4b4974c7 100644 (file)
--- a/Lib/httplib.py
+++ b/Lib/httplib.py
@@ -362,7 +362,9 @@ class HTTPResponse:
 
     def _read_status(self):
         # Initialize with Simple-Response defaults
-        line = self.fp.readline()
+        line = self.fp.readline(_MAXLINE + 1)
+        if len(line) > _MAXLINE:
+            raise LineTooLong("header line")
         if self.debuglevel > 0:
             print "reply:", repr(line)
         if not line:

diff --git a/Misc/NEWS b/Misc/NEWS
index 2693072038995acde1376533fbfbd1264daaedb4..fdd84fe167f1253c503ddc1003f7fef0e2682982 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -9,6 +9,10 @@ What's New in Python 2.7.4
 Core and Builtins
 -----------------
 
+- Issue #16037: Limit httplib's _read_status() function to work around broken
+  HTTP servers and reduce memory usage. It's actually a backport of a Python
+  3.2 fix. Thanks to Adrien Kunysz.
+
 - Issue #13992: The trashcan mechanism is now thread-safe.  This eliminates
   sporadic crashes in multi-thread programs when several long deallocator
   chains ran concurrently and involved subclasses of built-in container