Reject Content-Length longer than 4300 digits

python-hyper · Jan 11, 2025 · 40a14d8 · 40a14d8
1 parent 31e626c
commit 40a14d8
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/h11/_headers.py b/h11/_headers.py
@@ -1,4 +1,9 @@
 import re
+try:
+    from sys import get_int_max_str_digits
+except ImportError:
+    def get_int_max_str_digits():
+        return 4300  # CPython default
 from typing import AnyStr, cast, List, overload, Sequence, Tuple, TYPE_CHECKING, Union
 
 from ._abnf import field_name, field_value
@@ -173,6 +178,8 @@ def normalize_and_validate(
                 raise LocalProtocolError("conflicting Content-Length headers")
             value = lengths.pop()
             validate(_content_length_re, value, "bad Content-Length")
+            if len(value) > get_int_max_str_digits():
+                raise LocalProtocolError("bad Content-Length")
             if seen_content_length is None:
                 seen_content_length = value
                 new_headers.append((raw_name, name, value))

diff --git a/h11/tests/test_headers.py b/h11/tests/test_headers.py
@@ -74,6 +74,8 @@ def test_normalize_and_validate() -> None:
         )
     with pytest.raises(LocalProtocolError):
         normalize_and_validate([("Content-Length", "1 , 1,2")])
+    with pytest.raises(LocalProtocolError):
+        normalize_and_validate([("Content-Length", "1" * 4301)])
 
     # transfer-encoding
     assert normalize_and_validate([("Transfer-Encoding", "chunked")]) == [