diff options
| author | Jake Howard <git@theorangeone.net> | 2026-01-14 15:25:45 +0000 |
|---|---|---|
| committer | Jacob Walls <jacobtylerwalls@gmail.com> | 2026-02-03 08:00:14 -0500 |
| commit | 972dbdd4f7f69e9c405e6fe12a1b90e4713c1611 (patch) | |
| tree | 052d5bf91f17028daeca71c77f35f0ddf0c8f42f /tests | |
| parent | d72cc3be3be0bbebdcaea5a8c8106b4d6f2a32bd (diff) | |
[6.0.x] Fixed CVE-2025-14550 -- Optimized repeated header parsing in ASGI requests.
Thanks Jiyong Yang for the report, and Natalia Bidart, Jacob Walls, and
Shai Berger for reviews.
Backport of eb22e1d6d643360e952609ef562c139a100ea4eb from main.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/asgi/tests.py | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/tests/asgi/tests.py b/tests/asgi/tests.py index bb1020dd47..6d74903e41 100644 --- a/tests/asgi/tests.py +++ b/tests/asgi/tests.py @@ -223,7 +223,7 @@ class ASGITest(SimpleTestCase): self.assertEqual(response_body["type"], "http.response.body") self.assertEqual(response_body["body"], b"Echo!") - async def test_create_request_error(self): + async def test_request_too_big_request_error(self): # Track request_finished signal. signal_handler = SignalHandler() request_finished.connect(signal_handler) @@ -254,6 +254,32 @@ class ASGITest(SimpleTestCase): signal_handler.calls[0]["thread"], threading.current_thread() ) + async def test_meta_not_modified_with_repeat_headers(self): + scope = self.async_request_factory._base_scope(path="/", http_version="2.0") + scope["headers"] = [(b"foo", b"bar")] * 200_000 + + setitem_count = 0 + + class InstrumentedDict(dict): + def __setitem__(self, *args, **kwargs): + nonlocal setitem_count + setitem_count += 1 + super().__setitem__(*args, **kwargs) + + class InstrumentedASGIRequest(ASGIRequest): + @property + def META(self): + return self._meta + + @META.setter + def META(self, value): + self._meta = InstrumentedDict(**value) + + request = InstrumentedASGIRequest(scope, None) + + self.assertEqual(len(request.headers["foo"].split(",")), 200_000) + self.assertLessEqual(setitem_count, 100) + async def test_cancel_post_request_with_sync_processing(self): """ The request.body object should be available and readable in view |