Re: [Django] #29800: Django hangs when Content-Length has incorrect value

Mon, 01 Oct 2018 07:51:22 -0700 

#29800: Django hangs when Content-Length has incorrect value
-------------------------------------+-------------------------------------
     Reporter:  Alexander Charykov   |                    Owner:
                                     |  patriksletmo
         Type:  Bug                  |                   Status:  assigned
    Component:  HTTP handling        |                  Version:  2.1
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Tim Graham):

 The security team discussed this issue to confirm that we shouldn't treat
 it as a security issue.

 From Markus Holtermann:

 The issue can also be reproduced with:

 $ gunicorn foo.wsgi --access-logfile - --worker-connections 5

 From Simon Charette:

 I cannot reproduce when Django is behind a reverse proxy such as NGINX
 with proxy_request_buffering on which is the default.

 Given the development server should never be used in production and
 gunicorn documentation strongly recommends to use it behind a proxy server
 this doesn't sound severe to me. We should add a timeout on body read to
 the development server but it's unlikely to be an attack vector if you
 already follow best practice.

 I mean, both Django's development server and gunicorn have been known to
 be vulnerable to slow loris attacks and friends for a while at this point
 at it feels to me that serving Django apps behind a reverse proxy is the
 norm nowadays.

 From Collin Anderson:

 I this has come up before (or maybe it's a related issue):
 https://groups.google.com/d/topic/django-developers/bYzHczKNoqM/discussion

 From Claude Paroz:

 Might be worth reaching to Graham Dumpleton about this issue. The WSGI
 specs talk about a CONTENT_LENGTH shorter than the payload, but I'm not
 sure it addresses the reverse issue.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29800#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.fb9df449c7fd2e105b1e1780c820b72b%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to