Skip to content

Uncaught exception in http.server request handling (<=3.10) #103223

New issue
New issue
Closed as not planned
Closed as not planned
Uncaught exception in http.server request handling (<=3.10)#103223
Labels
3.10only security fixesstdlibStandard Library Python modules in the Lib/ directorytype-bugAn unexpected behavior, bug, or error
@kenballus

Description

@kenballus
kenballus
opened on Apr 3, 2023

Sending a null byte in an HTTP request path or URL triggers an uncaught ValueError in CPython 3.10 and below.

Reproduction Instructions

Open two terminals and do the following (requires python <=3.10; current 3.10 branch included):

Terminal 1:

$ ./python -m http.server --bind 127.0.0.1
Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...

Terminal 2:

$ printf 'GET \x00 HTTP/1.1\r\n\r\n' | nc localhost 8000

Terminal 1:

----------------------------------------
Exception occurred during processing of request from ('127.0.0.1', 56900)
Traceback (most recent call last):
  File "/home/bkallus/clones/cpython/Lib/socketserver.py", line 683, in process_request_thread
    self.finish_request(request, client_address)
  File "/home/bkallus/clones/cpython/Lib/http/server.py", line 1304, in finish_request
    self.RequestHandlerClass(request, client_address, self,
  File "/home/bkallus/clones/cpython/Lib/http/server.py", line 668, in __init__
    super().__init__(*args, **kwargs)
  File "/home/bkallus/clones/cpython/Lib/socketserver.py", line 747, in __init__
    self.handle()
  File "/home/bkallus/clones/cpython/Lib/http/server.py", line 433, in handle
    self.handle_one_request()
  File "/home/bkallus/clones/cpython/Lib/http/server.py", line 421, in handle_one_request
    method()
  File "/home/bkallus/clones/cpython/Lib/http/server.py", line 672, in do_GET
    f = self.send_head()
  File "/home/bkallus/clones/cpython/Lib/http/server.py", line 727, in send_head
    f = open(path, 'rb')
ValueError: embedded null byte
----------------------------------------

This bug is fixed in python 3.11+, but I haven't yet figured out why. As far as I can tell, the relevant portions of Lib/http/server.py and Lib/socketserver.py remain unchanged. I think the issue boils down to catching only OSErrors, but not ValueErrors, even though open can raise ValueErrors. I would guess that this happened because the docs do not clearly state that open(path, 'rb') can raise a ValueError.

Environment:

Arch Linux, x86_64
Python 3.10.10+

Metadata

Metadata

Assignees

No one assigned

    Labels

    3.10only security fixesstdlibStandard Library Python modules in the Lib/ directorytype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions