gh-103204: http.server - Enforce that HTTP version numbers must consist only of digits (#103205)

Reject HTTP requests with invalid http/x.y version numbers: x or y being non-digits or too-long. --------- Co-authored-by: Oleg Iarygin <oleg@arhadthedev.net> Co-authored-by: Gregory P. Smith <greg@krypto.org>
2025-11-03 19:34:08 +00:00 · 2023-05-12 16:25:58 -04:00 · 2023-05-12 16:25:58 -04:00 · cf720acfcb
commit cf720acfcb
parent 25db95d224
3 changed files with 28 additions and 0 deletions
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -164,6 +164,27 @@ class BaseHTTPServerTestCase(BaseTestCase):
        res = self.con.getresponse()
        self.assertEqual(res.status, HTTPStatus.BAD_REQUEST)

+    def test_version_signs_and_underscores(self):
+        self.con._http_vsn_str = 'HTTP/-9_9_9.+9_9_9'
+        self.con.putrequest('GET', '/')
+        self.con.endheaders()
+        res = self.con.getresponse()
+        self.assertEqual(res.status, HTTPStatus.BAD_REQUEST)
+
+    def test_major_version_number_too_long(self):
+        self.con._http_vsn_str = 'HTTP/909876543210.0'
+        self.con.putrequest('GET', '/')
+        self.con.endheaders()
+        res = self.con.getresponse()
+        self.assertEqual(res.status, HTTPStatus.BAD_REQUEST)
+
+    def test_minor_version_number_too_long(self):
+        self.con._http_vsn_str = 'HTTP/1.909876543210'
+        self.con.putrequest('GET', '/')
+        self.con.endheaders()
+        res = self.con.getresponse()
+        self.assertEqual(res.status, HTTPStatus.BAD_REQUEST)
+
    def test_version_none_get(self):
        self.con._http_vsn_str = ''
        self.con.putrequest('GET', '/')