Bug report

Bug description:

The http.client library can be trapped forever by a server sending infinite chunked response trailers or 1xx header responses more rapidly than any optional timeout= used on the request. This was reported to us as https://github.com/python/cpython/security/advisories/GHSA-w4q2-g22w-6fr4 by @YLChen-007 - low severity given it requires equivalent server resources to tie up a client so it isn't a DoS amplification. This builds upon the partial fix for #88188 for GHSA-hr7v-m862-8hh8 which did not address these cases.

CPython versions tested on:

CPython main branch all the way back through 3.10 (and presumably much older EoL versions... this is old code)

Linked PRs

• gh-150743: Limit trailer lines and interim responses read by http.client #150741
• [3.14] gh-150743: Limit trailer lines and interim responses read by http.client #150749
• [3.15] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150741) #152523
• [3.13] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150749) #152526
• [3.12] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150749) #152527
• [3.11] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150749) #152528
• [3.10] gh-150743: Limit trailer lines and interim responses read by http.client (GH-150749) #152529