Reject Content-Length longer than 4300 digits

Julien00859 · Julien00859 · commit 8ff7107a0c92 · 2025-01-11T02:59:16.000+01:00
diff --git a/h11/_headers.py b/h11/_headers.py
@@ -12,6 +12,12 @@
 except ImportError:
     from typing_extensions import Literal  # type: ignore
 
+try:
+    from sys import get_int_max_str_digits
+except ImportError:
+    def get_int_max_str_digits():
+        return 4300  # CPython default
+
 
 # Facts
 # -----
@@ -173,6 +179,8 @@ def normalize_and_validate(
                 raise LocalProtocolError("conflicting Content-Length headers")
             value = lengths.pop()
             validate(_content_length_re, value, "bad Content-Length")
+            if len(value) > get_int_max_str_digits():
+                raise LocalProtocolError("bad Content-Length")
             if seen_content_length is None:
                 seen_content_length = value
                 new_headers.append((raw_name, name, value))
diff --git a/h11/tests/test_headers.py b/h11/tests/test_headers.py
@@ -74,6 +74,8 @@ def test_normalize_and_validate() -> None:
         )
     with pytest.raises(LocalProtocolError):
         normalize_and_validate([("Content-Length", "1 , 1,2")])
+    with pytest.raises(LocalProtocolError):
+        normalize_and_validate([("Content-Length", "1" * 4301)])
 
     # transfer-encoding
     assert normalize_and_validate([("Transfer-Encoding", "chunked")]) == [

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,8 @@ def test_normalize_and_validate() -> None:`
`74`	`74`	`)`
`75`	`75`	`with pytest.raises(LocalProtocolError):`
`76`	`76`	`normalize_and_validate([("Content-Length", "1 , 1,2")])`
	`77`	`+ with pytest.raises(LocalProtocolError):`
	`78`	`+ normalize_and_validate([("Content-Length", "1" * 4301)])`
`77`	`79`
`78`	`80`	`# transfer-encoding`
`79`	`81`	`assert normalize_and_validate([("Transfer-Encoding", "chunked")]) == [`