Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BaseHTTPRequestHandler.parse_request() loses client-provided information #99220

Open
tipabu opened this issue Nov 7, 2022 · 2 comments
Open

BaseHTTPRequestHandler.parse_request() loses client-provided information #99220

tipabu opened this issue Nov 7, 2022 · 2 comments
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error

Comments

@tipabu
Copy link
Contributor

tipabu commented Nov 7, 2022

Bug report

The fix for #87389 prevents servers from handling request paths with multiple leading slashes.

For example, one might have a simple server that just reflects the request path:

from http.server import *

class MyHTTPRequestHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.end_headers()
        self.wfile.write(self.path.encode('latin1'))

with ThreadingHTTPServer(('127.0.0.1', 8000), MyHTTPRequestHandler) as server:
    server.serve_forever()

Previously, this would faithfully mirror the request path from the client:

$ curl -v http://localhost:8000//test
*   Trying 127.0.0.1:8000...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> GET //test HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.82.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BaseHTTP/0.6 Python/3.8.13
< Date: Mon, 07 Nov 2022 21:51:19 GMT
< 
* Closing connection 0
//test

But now it mangles it:

$ curl -v http://localhost:8000//test
*   Trying 127.0.0.1:8000...
* Connected to localhost (127.0.0.1) port 8000 (#0)
> GET //test HTTP/1.1
> Host: localhost:8000
> User-Agent: curl/7.82.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: BaseHTTP/0.6 Python/3.11.0
< Date: Mon, 07 Nov 2022 21:51:30 GMT
< 
* Closing connection 0
/test

This impacts any servers that subclass BaseHTTPRequestHandler, such as eventlet's WSGI server.
@tipabu tipabu added the type-bug An unexpected behavior, bug, or error label Nov 7, 2022
@tipabu
Copy link
Contributor Author

tipabu commented Nov 8, 2022

FWIW, this also impacts wsgiref, which seems not-great considering how it's supposed to be a reference implementation. This example has the same bad behavior as above, except with a different Server header:

from wsgiref.simple_server import make_server

def app(env, start_response):
    start_response('200 OK', [])
    return [env['PATH_INFO'].encode('ascii')]

with make_server('', 8000, app) as httpd:
    httpd.serve_forever()

openstack-mirroring pushed a commit to openstack/openstack that referenced this issue Dec 19, 2022
@openstack-gerrit
Update git submodules
afbd804 
* Update swift from branch 'master'
  to 0c18b2d32910d507203b72c78fbcef8089ab9e5c
  - Merge "Inline parse_request from cpython"
  - Inline parse_request from cpython
    
    Applied deltas:
    
    - Fix http.client references
    - Inline HTTPStatus codes
    - Address request line splitting (https://bugs.python.org/issue33973)
    - Special-case py2 header-parsing
    - Address multiple leading slashes in request path
      (python/cpython#99220)
    
    Change-Id: Iae28097668213aa0734837ff21aef83251167d19
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Dec 19, 2022
@tipabu
Inline parse_request from cpython
884f553 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Change-Id: Iae28097668213aa0734837ff21aef83251167d19
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Dec 19, 2022
@tipabu
Mark rolling-upgrade job non-voting
c8662c6 
Upstream CPython broke our HTTP parsing; while we can fix our own
HttpProtocol, previous tags won't have the fix (naturally).

See also: python/cpython@4abab6b
and python/cpython#99220

Change-Id: Ibe67b1a485350967e37809ba8575a33eba56ee97
Related-Change: https://review.opendev.org/c/openstack/swift/+/863441
Related-Change: https://review.opendev.org/c/openstack/swift/+/866801
(cherry picked from commit d1b2bbd)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Dec 20, 2022
@tipabu
Inline parse_request from cpython
aa81e4f 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Dec 21, 2022
@tipabu
Inline parse_request from cpython
a6a8591 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Dec 21, 2022
@tipabu
Inline parse_request from cpython
a196790 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Dec 21, 2022
@tipabu
Inline parse_request from cpython
238f7af 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Jan 7, 2023
@tipabu
Inline parse_request from cpython
4bd18dc 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Jan 7, 2023
@tipabu
Inline parse_request from cpython
28d6cf1 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
openstack-mirroring pushed a commit to openstack/swift that referenced this issue Jan 7, 2023
@tipabu
Inline parse_request from cpython
a86270b 
Applied deltas:

- Fix http.client references
- Inline HTTPStatus codes
- Address request line splitting (https://bugs.python.org/issue33973)
- Special-case py2 header-parsing
- Address multiple leading slashes in request path
  (python/cpython#99220)

Closes-Bug: #1999278
Change-Id: Iae28097668213aa0734837ff21aef83251167d19
(cherry picked from commit 884f553)
@iritkatriel iritkatriel added the stdlib Python modules in the Lib dir label Nov 26, 2023
@vadmium
Copy link
Member

vadmium commented Apr 28, 2024

The path mangling is not documented. The change in question seems to be commit defaa2b. Perhaps it should have only been made in the SimpleHTTPRequestHandler class, not BaseHTTPRequestHandler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stdlib Python modules in the Lib dir type-bug An unexpected behavior, bug, or error
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vadmium @iritkatriel @tipabu