Merge pull request #181 from Julien00859/Julien00859/get_int_max_str_…

…digits Reject Content-Length longer than 1 billion TB
python-hyper · Jan 12, 2025 · 70a96be · 70a96be
2 parents 31e626c + 60782ad
commit 70a96be
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/h11/_headers.py b/h11/_headers.py
@@ -12,6 +12,8 @@
 except ImportError:
     from typing_extensions import Literal  # type: ignore
 
+CONTENT_LENGTH_MAX_DIGITS = 20  # allow up to 1 billion TB - 1
+
 
 # Facts
 # -----
@@ -173,6 +175,8 @@ def normalize_and_validate(
                 raise LocalProtocolError("conflicting Content-Length headers")
             value = lengths.pop()
             validate(_content_length_re, value, "bad Content-Length")
+            if len(value) > CONTENT_LENGTH_MAX_DIGITS:
+                raise LocalProtocolError("bad Content-Length")
             if seen_content_length is None:
                 seen_content_length = value
                 new_headers.append((raw_name, name, value))

diff --git a/h11/tests/test_headers.py b/h11/tests/test_headers.py
@@ -74,6 +74,8 @@ def test_normalize_and_validate() -> None:
         )
     with pytest.raises(LocalProtocolError):
         normalize_and_validate([("Content-Length", "1 , 1,2")])
+    with pytest.raises(LocalProtocolError):
+        normalize_and_validate([("Content-Length", "1" * 21)])  # 1 billion TB
 
     # transfer-encoding
     assert normalize_and_validate([("Transfer-Encoding", "chunked")]) == [