Limit the size of each request line

2021-09-27 17:54:51 +01:00
parent d75449eb32
commit de9c991a9a
4 changed files with 55 additions and 6 deletions
--- a/src/microdot_asyncio.py
+++ b/src/microdot_asyncio.py
@@ -34,7 +34,7 @@ class Request(BaseRequest):
        object.
        """
        # request line
-        line = (await client_stream.readline()).strip().decode()
+        line = (await Request._safe_readline(client_stream)).strip().decode()
        if not line:  # pragma: no cover
            return None
        method, url, http_version = line.split()
@@ -44,7 +44,8 @@ class Request(BaseRequest):
        headers = {}
        content_length = 0
        while True:
-            line = (await client_stream.readline()).strip().decode()
+            line = (await Request._safe_readline(
+                client_stream)).strip().decode()
            if line == '':
                break
            header, value = line.split(':', 1)
@@ -60,6 +61,13 @@ class Request(BaseRequest):
        return Request(app, client_addr, method, url, http_version, headers,
                       body)

+    @staticmethod
+    async def _safe_readline(stream):
+        line = (await stream.readline())
+        if len(line) > Request.max_readline:
+            raise ValueError('line too long')
+        return line
+

 class Response(BaseResponse):
    """An HTTP response class.