Here's a snippet from paste.httpserver
try:
content_length = int(self.headers.get('Content-Length', '0'))
except ValueError:
content_length = 0
if not hasattr(self.connection, 'get_context'):
rfile = LimitedLengthFile(rfile, content_length)
This means that if there's no Content-Length request header the
request body would not be available anyway (cropped to zero length).
If you're using paste.httpserver you can just write middleware to
reject requests with Content-Length too big. I'd recommend using WebOb
as it would make this task rather trivial (under 10 lines of code I
think).
On Thu, Jul 24, 2008 at 00:11, Michael Bayer <[EMAIL PROTECTED]> wrote:
>
> On Jul 23, 2008, at 4:47 PM, Sergey Schetinin wrote:
>
>>> Whether or not CONTENT_LENGTH is set (and it wouldn't be present in the
>>> case
>>> of a malicious attack, though not sure if some other part of the HTTP
>>> stack
>>> catches that),
>>> the current approaches read the whole stream into a tempfile.
>>
>> It's not entirely up to the attacker, it depends on the server. The
>> attacker might omit Content-Length but the WSGI gateway can handle
>> that by pre-reading the input stream and setting actual
>> CONTENT_LENGTH, in that case Pylons app is not the place to handle the
>> limits anyway. I'd say it's not the place in any case because the
>> server / gate or middleware should do that.
>
> agreed. So should paste's own HTTP server support this within ?
>
>
--
Best Regards,
Sergey Schetinin
http://s3bk.com/ -- S3 Backup
http://word-to-html.com/ -- Word to HTML Converter
_______________________________________________
Paste-users mailing list
[email protected]
http://webwareforpython.org/cgi-bin/mailman/listinfo/paste-users
