Re: [Paste] limiting POST size, not reading the whole stream, then kicking the client out

Sun, 27 Jul 2008 11:32:17 -0700 

Michael Bayer wrote:
> On Jul 23, 2008, at 4:47 PM, Sergey Schetinin wrote:
> 
>>> Whether or not CONTENT_LENGTH is set (and it wouldn't be present in  
>>> the case
>>> of a malicious attack, though not sure if some other part of the  
>>> HTTP stack
>>> catches that),
>>> the current approaches read the whole stream into a tempfile.
>> It's not entirely up to the attacker, it depends on the server. The
>> attacker might omit Content-Length but the WSGI gateway can handle
>> that by pre-reading the input stream and setting actual
>> CONTENT_LENGTH, in that case Pylons app is not the place to handle the
>> limits anyway. I'd say it's not the place in any case because the
>> server / gate or middleware should do that.
> 
> agreed.  So should paste's own HTTP server support this within ?

I'm not sure about the other stuff in this thread, but my impression is 
that there is a problem here with Paste's HTTP server closing 
connections properly.  If you give a response without reading 
wsgi.input, the Paste HTTP server should do whatever is necessary to 
send that response, including closing the incoming connection in the 
proper way.  I'm not sure what the proper way *is*, but that seems to be 
the problem.

Then the limiting middleware would be:

class LimitPost(object):
     def __init__(self, app, post_limit):
         self.app = app
         self.post_limit = post_limit
     def __call__(self, environ, start_response):
         content_length = int(environ.get('CONTENT_LENGTH', '0'))
         if self.post_limit != -1 and self.post_limit < content_length:
             return self.reject_request(environ, start_response)
         return self.app(environ, start_response)
     def reject_request(self, environ, start_response):
         start_response('413 Request Entity Too Large', 
[('content-type', 'text/html')])
         return ['''<html><head><title>413 Request Too Large</title>
           </head><body>
           <h1>413 Request Too Large</h1>
           <p>You tried to submit a request that was %s bytes long,
           and there is a limit of %s bytes</p>
           </body></html>''' % (
               environ['CONTENT_LENGTH'], self.post_limit)]

That *should* work.  If it does not (like the browser thinks it is still 
sending the request), then I think that is a problem with the server.

-- 
Ian Bicking : [EMAIL PROTECTED] : http://blog.ianbicking.org

_______________________________________________
Paste-users mailing list
[email protected]
http://webwareforpython.org/cgi-bin/mailman/listinfo/paste-users

Reply via email to