http.server parses HTTP version numbers too permissively.

http.server accepts request lines with HTTP version numbers that have '_', '+', and '-'.

Reproduction steps:

(Requires netcat)

python3 -m http.server --bind 127.0.0.1
printf 'GET / HTTP/-9_9_9.+9_9_9\r\n\r\n' | nc 127.0.0.1 8000

Justification

Here are the HTTP-version definitions from each of the three HTTP RFCs:

• RFC 2616:

HTTP-Version   = "HTTP" "/" 1*DIGIT "." 1*DIGIT

• RFC 7230:

HTTP-version  = HTTP-name "/" DIGIT "." DIGIT
HTTP-name     = %x48.54.54.50 ; "HTTP", case-sensitive

• RFC 9112:

HTTP-version  = HTTP-name "/" DIGIT "." DIGIT
HTTP-name     = %s"HTTP"

I understand allowing multiple digits for backwards-compatibility with RFC 2616, but I don't think it makes sense to let the specifics of int leak out into the world. We should at least ensure that only digits are permitted in HTTP version numbers.

My environment

• CPython 3.12.0a6+
• Operating system and architecture: Arch Linux on x86_64

Linked PRs

• gh-103204: http.server - Enforce that HTTP version numbers must consist only of digits #103205
• [3.11] gh-103204: http.server - Enforce that HTTP version numbers must consist only of digits (GH-103205) #104438