Re: [Django] #29800: Django hangs when Content-Length has incorrect value

Tue, 02 Oct 2018 07:00:38 -0700 

#29800: Django hangs when Content-Length has incorrect value
-------------------------------------+-------------------------------------
     Reporter:  Alexander Charykov   |                    Owner:  Patrik
                                     |  Sletmo
         Type:  Bug                  |                   Status:  assigned
    Component:  HTTP handling        |                  Version:  2.1
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Patrik Sletmo):

 I skimmed through the WSGI specification and it contains a description on
 how to handle Content-Length headers shorter than the payload, but as
 Claude Paroz guessed it does not give any instructions for handling the
 opposite case.

 As the recommended way of running Django in production is behind a reverse
 proxy I don't think that there should be any fix implemented that attempts
 to mitigate the effect of a Slowloris attack. I do however think that from
 a usability standpoint it could make sense not to hang the entire
 application in case the request given above is received.

 Would there be any practical implications that could motivate against
 using a timeout period for receiving the data? If nginx is used as a
 reverse proxy with the default option proxy_request_buffering set, the
 timeout would limit the time required for transmitting the request from
 the reverese proxy to Django, and this really shouldn't take any
 substantial amount of time. I suppose that implementing a timeout option
 in Django in some situations could create the need to configure a timeout
 in both the reverse proxy and in Django, but I think that these cases are
 rather slim.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29800#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.321d4e313dcff9746d27d822a5684bd5%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to