Skip to content

Set a safe limit to http.client response read #68611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dwoz merged 2 commits into from
Jan 9, 2026
Merged

Set a safe limit to http.client response read #68611

dwoz merged 2 commits into from
Jan 9, 2026

Conversation

@twangboy
Copy link
Contributor

@twangboy twangboy commented Jan 8, 2026
edited by dwoz
Loading

What does this PR do?

Set's a safe limit for the read function of a response from http.client to avoid DoS through excessive memory allocation. We're doing this because we can't upgrade to Python 3.13.11.

Fixes: #68618

@twangboy twangboy requested a review from a team as a code owner January 8, 2026 19:07
@twangboy twangboy added the Tests label Jan 8, 2026
@twangboy twangboy self-assigned this Jan 8, 2026
@twangboy twangboy added test:full Run the full test suite and removed Tests labels Jan 8, 2026
@twangboy twangboy added this to the Sulphur 3006.19 milestone Jan 8, 2026
@twangboy twangboy changed the title Set a safe limit to http.client response read [WIP] Set a safe limit to http.client response read Jan 8, 2026
@dwoz dwoz changed the title [WIP] Set a safe limit to http.client response read Set a safe limit to http.client response read Jan 9, 2026
@dwoz dwoz merged commit 034d966 into saltstack:3006.x Jan 9, 2026
8 checks passed
vzhestkov pushed a commit to openSUSE/salt that referenced this pull request Jan 11, 2026
@twangboy @vzhestkov
Set a safe limit to http.client response read (CVE-2025-13836)
aeb89fe 
saltstack/salt#68611
@vzhestkov vzhestkov mentioned this pull request Jan 11, 2026
Merged
3 tasks
@bdrx312
Copy link
Contributor

bdrx312 commented Jan 12, 2026

because we can't upgrade to Python 3.13.11

It looks like a fix also went into python 3.12
python/cpython@14b1fdb

and are targeted to be backported to 3.10 and 3.11

python/cpython#142142
python/cpython#142141

m-czernek added a commit to openSUSE/salt that referenced this pull request Jan 14, 2026
@vzhestkov @twangboy @m-czernek
Fixes for security issues (CVE-2025-13836, CVE-2025-67725, CVE-2025-6…
324c774 
…7726) (#744)

* Fixes for security issues (CVE-2025-67725)

httputil: Fix quadratic performance of repeated header lines

Previouisly, when many header lines with the same name were found
in an HTTP request or response, repeated string concatenation would
result in quadratic performance. This change does the concatenation
lazily (with a cache) so that repeated headers can be processed
efficiently.

Security: The previous behavior allowed a denial of service attack
via a maliciously crafted HTTP message, but only if the
max_header_size was increased from its default of 64kB.

* Patch tornado for (BDSA-2025-60811, CVE-2025-67726)

httputil: Fix quadratic behavior in _parseparam

Prior to this change, _parseparam had O(n^2) behavior when parsing
certain inputs, which could be a DoS vector. This change adapts
logic from the equivalent function in the python standard library
in https://github.com/python/cpython/pull/136072/files

* Set a safe limit to http.client response read (CVE-2025-13836)

saltstack/salt#68611

* Remove duplicated test

---------

Co-authored-by: Twangboy <shane.d.lee@gmail.com>
Co-authored-by: Marek Czernek <marek.czernek@suse.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dwoz dwoz dwoz approved these changes

Assignees

@twangboy twangboy

Labels

test:full Run the full test suite

Projects

None yet

Milestone

Sulphur 3006.19

Development

Successfully merging this pull request may close these issues.

3 participants

@twangboy @bdrx312 @dwoz