[PR #11887/7a067d19 backport][3.13] Reject non-ascii digits in Range header (#11903)

patchback[bot] · Dreamsorcerer · web-flow · commit c7b7a044f88c · 2026-01-03T00:39:41.000Z
**This is a backport of PR #11887 as merged into master (7a067d1).** Co-authored-by: Sam Bull <git@sambull.org>
diff --git a/aiohttp/web_request.py b/aiohttp/web_request.py
@@ -607,7 +607,7 @@ def http_range(self) -> slice:
         if rng is not None:
             try:
                 pattern = r"^bytes=(\d*)-(\d*)$"
-                start, end = re.findall(pattern, rng)[0]
+                start, end = re.findall(pattern, rng, re.ASCII)[0]
             except IndexError:  # pattern was not found in header
                 raise ValueError("range not in acceptable format")
 
diff --git a/tests/test_web_request.py b/tests/test_web_request.py
@@ -244,6 +244,13 @@ def bytes_gen(size):
     assert req.content[req.http_range] == payload[-500:]
 
 
+def test_range_non_ascii() -> None:
+    # ५ = DEVANAGARI DIGIT FIVE
+    req = make_mocked_request("GET", "/", headers=CIMultiDict([("RANGE", "bytes=4-५")]))
+    with pytest.raises(ValueError, match="range not in acceptable format"):
+        req.http_range
+
+
 def test_non_keepalive_on_http10() -> None:
     req = make_mocked_request("GET", "/", version=HttpVersion(1, 0))
     assert not req.keep_alive
