Devin Cook added the comment:
It looks like this bug was reintroduced in a5a3ae9be1fb.
--
nosy: +devin
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue672656
New submission from Devin Cook:
BaseHTTPRequestHandler limits request length to prevent DoS. WSGIRequestHandler
should probably do the same.
See: http://bugs.python.org/issue10714
--
components: Library (Lib)
files: wsgiref_request_length.patch
keywords: patch
messages: 226931
nosy
New submission from Devin Cook:
Several years ago a patch was applied to set the default binding of the pydoc
server to localhost instead of 0.0.0.0. It appears that the issue was
reintroduced in a5a3ae9be1fb.
See previous issue: http://bugs.python.org/issue672656
$ ./python -m pydoc -b
Devin Cook added the comment:
Sure, thanks.
New issue: http://bugs.python.org/issue22421
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue672656
Changes by Devin Cook devin.c.c...@gmail.com:
Removed file: http://bugs.python.org/file29202/asynchat_tip.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11259
Devin Cook added the comment:
updating the patch to the current tip
--
Added file: http://bugs.python.org/file34310/asynchat_tip.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11259
Devin Cook added the comment:
It looks like it's allowed for header line continuation.
http://www.ietf.org/rfc/rfc2616.txt
HTTP/1.1 header field values can be folded onto multiple lines if the
continuation line begins with a space or horizontal tab. All linear
white space, including folding
Changes by Devin Cook devin.c.c...@gmail.com:
Removed file: http://bugs.python.org/file29182/header_newlines.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
Devin Cook added the comment:
The spec doesn't say anything about the header name. It probably should though,
as the same issue exists there.
I used two searches because that's how it's done in wsgiref.validate, and it's
not a huge deal to do that because the second one will only execute when
Changes by Devin Cook devin.c.c...@gmail.com:
Removed file: http://bugs.python.org/file29192/header_newlines_2.7.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
Changes by Devin Cook devin.c.c...@gmail.com:
Removed file: http://bugs.python.org/file29193/header_newlines_2.6.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
Devin Cook added the comment:
Should now be compliant with this part of the spec:
Each header_value must not include any control characters, including carriage
returns or linefeeds, either embedded or at the end. (These requirements are to
minimize the complexity of any parsing that must
Devin Cook added the comment:
backported patch to 2.7
--
Added file: http://bugs.python.org/file29192/header_newlines_2.7.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
Devin Cook added the comment:
backported patch to 2.6
--
Added file: http://bugs.python.org/file29193/header_newlines_2.6.patch
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue11671
Changes by Devin Cook devin.c.c...@gmail.com:
--
nosy: +devin
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue12226
___
___
Python-bugs-list mailing
Devin Cook added the comment:
I agree that this is probably a bug, but can't think of any instances where
this in itself would cause a security issue. By sending something like a
negative Content-Length, you do indeed get data returned that doesn't really
match the data sent on the wire
Devin Cook added the comment:
This looks resolved. Can it be closed?
--
nosy: +devin
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue10340
Changes by Devin Cook devin.c.c...@gmail.com:
--
nosy: +devin
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue16632
___
___
Python-bugs-list mailing
Devin Cook devin.c.c...@gmail.com added the comment:
It sounds like you may already have an idea of how you want the API structured,
but just in case you're still thinking about it here's another API to look at
that I think focuses on exactly what you were highlighting as priorities (sane
Devin Cook devin.c.c...@gmail.com added the comment:
I think it looks good except for the wildcard checking. According to the latest
draft of that TLS id-checking RFC, you aren't supposed to allow the wildcard as
part of a fragment. Of course this contradicts RFC 2818.
http://tools.ietf.org
Devin Cook devin.c.c...@gmail.com added the comment:
I'm also assuming RFC 2818 is in wider use than the id-checking draft;
am I wrong?
Yeah, since RFC 2818 has been accepted since 2000 and the id-checking draft was
started in 2009, I'd say it's a safe bet. I'm in no way authoritative though
Devin Cook devin.c.c...@gmail.com added the comment:
Correct me if I'm wrong, but the well-maintained pyOpenSSL
package doesn't have the missing functionality (hostname
checking in server certificates), either.
I'm pretty sure it's just a wrapper around the openssl library, which does
Changes by Devin Cook devin.c.c...@gmail.com:
--
nosy: +devin
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue1589
___
___
Python-bugs-list mailing
23 matches
Mail list logo