Skip to content

[3.15] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741)#152523

Merged
gpshead merged 1 commit into
python:3.15from
miss-islington:backport-41cc78a-3.15
Jun 28, 2026
Merged

[3.15] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741)#152523
gpshead merged 1 commit into
python:3.15from
miss-islington:backport-41cc78a-3.15

Conversation

@miss-islington

@miss-islington miss-islington commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

http.client read chunked-response trailer lines and skipped interim (1xx)
responses in unbounded loops, so a server streaming either forever would
hang the client even with a socket timeout set (data keeps arriving, so
the timeout never fires).

Trailer lines are now limited to max_response_headers (100 by default)
and interim responses to 100; HTTPException is raised past either limit.

Follow-up to gh-88188 for CVE-2021-3737, which bounded header lines
within an interim response but not these two sibling loops.
(cherry picked from commit 41cc78a)

Co-authored-by: Gregory P. Smith 68491+gpshead@users.noreply.github.com


This issue was reported to us via GHSA-w4q2-g22w-6fr4 and was determined not to be high enough severity to handle privately.

…tp.client (pythonGH-150741)

http.client read chunked-response trailer lines and skipped interim (1xx)
responses in unbounded loops, so a server streaming either forever would
hang the client even with a socket timeout set (data keeps arriving, so
the timeout never fires).

Trailer lines are now limited to max_response_headers (100 by default)
and interim responses to 100; HTTPException is raised past either limit.

Follow-up to pythongh-88188 for CVE-2021-3737, which bounded header lines
within an interim response but not these two sibling loops.
(cherry picked from commit 41cc78a)

Co-authored-by: Gregory P. Smith <68491+gpshead@users.noreply.github.com>

---

This issue was reported to us via [GHSA-w4q2-g22w-6fr4](https://github.com/python/cpython/security/advisories/GHSA-w4q2-g22w-6fr4) and was determined not to be high enough severity to handle privately.
@read-the-docs-community

Copy link
Copy Markdown

@gpshead gpshead merged commit aa06529 into python:3.15 Jun 28, 2026
60 checks passed
@miss-islington miss-islington deleted the backport-41cc78a-3.15 branch June 28, 2026 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type-security A security issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants