aiohttp icon indicating copy to clipboard operation
aiohttp copied to clipboard
verified publisher icon aio-libs

HttpParser argument max_headers is not enforced

Open starflows opened this issue 3 years ago • 1 comments

Describe the bug

The max_headers argument is not used. It does not limit the number of headers allowed in a response.

To Reproduce

See the failing unittest https://github.com/aio-libs/aiohttp/blob/188852b8d9ff082ce7793f3f8d03128cc62f3ac1/tests/test_client_functional.py#L3155

Expected behavior

I assume the argument should limit how many headers a response may have. I expect the request to fail if too many headers are returned.

Logs/tracebacks

The new unittest https://github.com/aio-libs/aiohttp/blob/188852b8d9ff082ce7793f3f8d03128cc62f3ac1/tests/test_client_functional.py#L3155 of https://github.com/aio-libs/aiohttp/pull/6720 does not fail although more than the allowed 32768 headers are returned.

Python Version

$ python --version
Python 3.10.4

aiohttp Version

$ python -m pip show aiohttp
Name: aiohttp
Version: 4.0.0a1
Summary: Async http client/server framework (asyncio)
Home-page: https://github.com/aio-libs/aiohttp
Author: 
Author-email: 
License: Apache 2
Location: /home/work/starflows/aiohttp
Requires: aiosignal, async_timeout, charset-normalizer, frozenlist, multidict, typing_extensions, yarl
Required-by:

multidict Version

$ python -m pip show multidict
Name: multidict
Version: 5.2.0
Summary: multidict implementation
Home-page: https://github.com/aio-libs/multidict
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache 2
Location: /home/work/starflows/aiohttp/venv/lib/python3.10/site-packages
Requires: 
Required-by: aiohttp, yarl

yarl Version

$ python -m pip show yarl
Name: yarl
Version: 1.7.2
Summary: Yet another URL library
Home-page: https://github.com/aio-libs/yarl/
Author: Andrew Svetlov
Author-email: [email protected]
License: Apache 2
Location: /home/work/starflows/aiohttp/venv/lib/python3.10/site-packages
Requires: idna, multidict
Required-by: aiohttp

OS

Arch Linux 5.17.4-arch1-1

Related component

Client

Additional context

No response

Code of Conduct

  • [X] I agree to follow the aio-libs Code of Conduct

starflows avatar Apr 27 '22 12:04 starflows

Appears to limit the max size of each header, not the total number of headers: https://github.com/aio-libs/aiohttp/blob/f382b5ffc445e45a110734f5396728da7914aeb6/asynchttp/protocol.py#L128

Looks to me like it was part of some functionality that has been completely removed, so the parameter itself should just be removed: https://github.com/aio-libs/aiohttp/commit/6d3866e3b1d3d34c79fa2f709ba2c0170fc70a41#diff-dc6514f769f186d6dccbcc5068ac159225ead876cc4bf76ec305585739467659L226

Dreamsorcerer avatar Apr 27 '22 19:04 Dreamsorcerer