didericis/bot-bottle
1
0
Fork 0
Code Issues 7 Pull Requests 15 Actions Packages Projects Releases Wiki Activity

Harden CGI status-line parsing in git_http_backend #274

Merged
didericis merged 1 commits from harden-cgi-status-parsing into main 2026-06-25 04:02:21 -04:00
Conversation 0 Commits 1 Files Changed 2
+58 -1
didericis-claude commented 2026-06-25 03:11:50 -04:00
Collaborator
Copy Link
Copy Source

Closes #254.

Summary

_write_cgi_response called int(value.split()[0]) on the Status: header returned by git http-backend with no error handling. An empty or non-numeric value raised ValueError/IndexError that escaped the handler thread.

  • Wrap the parse in try/except (ValueError, IndexError) and fall back to HTTP 500, logging the malformed header value.
  • Add TestMalformedStatusHeader with two cases: empty Status: value and a non-numeric Status: value — both must return 500 without throwing.
Closes #254. ## Summary `_write_cgi_response` called `int(value.split()[0])` on the `Status:` header returned by `git http-backend` with no error handling. An empty or non-numeric value raised `ValueError`/`IndexError` that escaped the handler thread. - Wrap the parse in `try/except (ValueError, IndexError)` and fall back to HTTP 500, logging the malformed header value. - Add `TestMalformedStatusHeader` with two cases: empty `Status:` value and a non-numeric `Status:` value — both must return 500 without throwing.
didericis added 1 commit 2026-06-25 03:47:09 -04:00
fix: guard CGI Status-line parse in _write_cgi_response
test / unit (pull_request) Successful in 32s
Details
test / integration (pull_request) Successful in 16s
Details
lint / lint (push) Successful in 1m47s
Details
test / unit (push) Successful in 32s
Details
test / integration (push) Successful in 16s
Details
Update Quality Badges / update-badges (push) Successful in 1m19s
Details
9a878bd885 
An empty or non-numeric Status: header from git http-backend raised
ValueError/IndexError that escaped the handler thread. Wrap the parse
in a try/except and fall back to HTTP 500 instead.

Closes #254
didericis force-pushed harden-cgi-status-parsing from 3a702ccc75 to 9a878bd885 2026-06-25 03:47:09 -04:00 Compare
didericis merged commit 9a878bd885 into main 2026-06-25 04:02:21 -04:00
didericis deleted branch harden-cgi-status-parsing 2026-06-25 04:02:22 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
 Kind/Bug
Something is not working
 Kind/Documentation
Documentation changes
 Kind/Enhancement
Improve existing functionality
 Kind/Feature
New functionality
 Kind/Security
This is security issue
 Kind/Testing
Issue or pull request related to testing
Priority
Critical
1
The priority is critical
Priority
High
2
The priority is high
Priority
Low
4
The priority is low
Priority
Medium
3
The priority is medium
Reviewed
Confirmed
1
Issue has been confirmed
Reviewed
Duplicate
2
This issue or pull request already exists
Reviewed
Invalid
3
Invalid issue
Reviewed
Won't Fix
3
This issue won't be fixed
Status
Abandoned
3
Somebody has started to work on this but abandoned work
Status
Blocked
1
Something is blocking this issue or pull request
Status
Need More Info
2
Feedback is required to reproduce issue or to continue work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
didericis-claude (didericis (claude)) didericis-codex (didericis (codex)) didericis-gemma (gemma) didericis
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: didericis/bot-bottle#274
Delete Branch "harden-cgi-status-parsing"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?