diff --git a/waitress/parser.py b/waitress/parser.py index be4ee00e..6d2f3409 100644 --- a/waitress/parser.py +++ b/waitress/parser.py @@ -294,8 +294,20 @@ def crack_first_line(line): version = m.group(5) else: version = None - command = m.group(1).upper() + method = m.group(1) + + # the request methods that are currently defined are all uppercase: + # https://www.iana.org/assignments/http-methods/http-methods.xhtml and + # the request method is case sensitive according to + # https://tools.ietf.org/html/rfc7231#section-4.1 + + # By disallowing anything but uppercase methods we save poor + # unsuspecting souls from sending lowercase HTTP methods to waitress + # and having the request complete, while servers like nginx drop the + # request onto the floor. + if method != method.upper(): + raise ParsingError('Malformed HTTP method "%s"' % tostr(method)) uri = m.group(2) - return command, uri, version + return method, uri, version else: return b'', b'', b'' diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py index a01356f6..ecb66060 100644 --- a/waitress/tests/test_parser.py +++ b/waitress/tests/test_parser.py @@ -298,15 +298,19 @@ def _callFUT(self, line): return crack_first_line(line) def test_crack_first_line_matchok(self): - result = self._callFUT(b'get / HTTP/1.0') + result = self._callFUT(b'GET / HTTP/1.0') self.assertEqual(result, (b'GET', b'/', b'1.0')) + def test_crack_first_line_lowercase_method(self): + from waitress.parser import ParsingError + self.assertRaises(ParsingError, self._callFUT, b'get / HTTP/1.0') + def test_crack_first_line_nomatch(self): - result = self._callFUT(b'get / bleh') + result = self._callFUT(b'GET / bleh') self.assertEqual(result, (b'', b'', b'')) def test_crack_first_line_missing_version(self): - result = self._callFUT(b'get /') + result = self._callFUT(b'GET /') self.assertEqual(result, (b'GET', b'/', None)) class TestHTTPRequestParserIntegration(unittest.TestCase):