Fix uncaught exception in MCP server by ddworken · Pull Request #822 · modelcontextprotocol/python-sdk
Conversation
Motivation and Context
This fixes an uncaught exception in the MCP server
How Has This Been Tested?
Via unit tests and locally.
Breaking Changes
None.
Types of changes
- Bug fix (non-breaking change which fixes an issue)
- New feature (non-breaking change which adds functionality)
- Breaking change (fix or feature that would cause existing functionality to change)
- Documentation update
Checklist
- I have read the MCP Documentation
- My code follows the repository's style guidelines
- New and existing tests pass locally
- I have added appropriate error handling
- I have added or updated documentation as needed
Additional context
ddworken
marked this pull request as ready for review
So to clarify, currently this is blocking from using the streamable-http transport inside clients such as Windsurf or Claude Desktop correct?
Hmm, this shouldn't be blocking any clients, it is just adding error handling for a previously unhandled exception. Have you observed issues with this PR in certain clients?
@bruno-oliveira This shouldn't be blocking anyone, but it does fix a huge security issue with remote servers. Currently anyone can lock up a server just by sending a bad payload #820
| await self._handle_incoming(responder) | ||
| if not responder._completed: # type: ignore[reportPrivateUsage] | ||
| await self._handle_incoming(responder) | ||
| except Exception as e: |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think is better to handle a specific exceptions before the general one, such as RuntimeError (Which mentioned in this issue)
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that the risk is the server becoming unresponsive, I believe catching all exceptions to isolate errors to a single request is correct.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is a valid answer from the package's point of view.
It makes it considerably hard to maintain the package if everything is except Exception.
I'm a bit baffled that a security issue like this is still open
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Comment on lines +396 to +397
| session_message = SessionMessage( | ||
| message=JSONRPCMessage(error_response)) |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How this got merged?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters