Issue #1030 resolved

malformed HTTP request does not result in '400 Bad Request'

Anonymous created an issue

CherryPy is listening on port 8000. Issuing the command:

{{{ openssl s_client -quiet -ssl3 -connect }}}

and then entering an illegal request (observe the spaces on both sides of the /):

{{{ GET / HTT }}}

generates the following output:

{{{ HTTP/1.1 500 Internal Server Error Content-Length: 502 Content-Type: text/plain

Traceback (most recent call last): File "/opt/splunk/lib/python2.6/site-packages/cherrypy/wsgiserver/", line 1227, in communicate req.parse_request() File "/opt/splunk/lib/python2.6/site-packages/cherrypy/wsgiserver/", line 315, in parse_request self._parse_request() File "/opt/splunk/lib/python2.6/site-packages/cherrypy/wsgiserver/", line 395, in _parse_request rp = int(req_protocol[5]), int(req_protocol[7]) IndexError: string index out of range read:errno=0 }}}

This should result in a '400 Bad Request' rather than '500 Internal Server Error'.

This behavior seems to occur because of the following code in wsgiserver/ around line 346:

{{{ try: method, path, req_protocol = request_line.strip().split(" ", 2) except ValueError: self.simple_response(400, "Malformed Request-Line") return }}}

Perhaps validating the values with re or a string method would solve this problem.

Reported by

Comments (4)

  1. Log in to comment