Re: [Django] #29800: Django hangs when Content-Length has incorrect value

Mon, 08 Oct 2018 01:12:46 -0700 

#29800: Django hangs when Content-Length has incorrect value
-------------------------------------+-------------------------------------
     Reporter:  Alexander Charykov   |                    Owner:  Patrik
                                     |  Sletmo
         Type:  Bug                  |                   Status:  assigned
    Component:  HTTP handling        |                  Version:  2.1
     Severity:  Normal               |               Resolution:
     Keywords:                       |             Triage Stage:  Accepted
    Has patch:  0                    |      Needs documentation:  0
  Needs tests:  0                    |  Patch needs improvement:  0
Easy pickings:  0                    |                    UI/UX:  0
-------------------------------------+-------------------------------------

Comment (by Patrik Sletmo):

 I've been thinking some more on how to handle this issue and right now I'm
 considering the possibility of not fixing it at all. The two alternatives
 would in that case be the following:

 1. Mark the issue as "wontfix".
 or
 2. Document the issue so that users are aware of its existence, and refer
 to the use of a reverse proxy. My suggestion is that it could be added
 here somehow https://docs.djangoproject.com/en/2.1/topics/security
 /#additional-security-topics.

 The reasoning behind not providing any fix beyond what has been suggested
 above is simple. The types of HTTP requests triggering the hang are
 typically only crafted by a malicious party with the intention to trigger
 this sort of bug. I can not imagine any case in which the behaviour
 documented in this issue would come as a surprise to anyone performing
 this request on their development server. As this bug is nearly never
 triggered unintentionally when developing, and also protected against when
 deployed properly in production, I think that it seems strange to
 introduce additional functionality that must be maintained. I would say
 that an introduced timeout comes with more complications than it solves.

 Do you have any opinion on the above mentioned proposals, Alexander
 Charykov and Tim Graham?

-- 
Ticket URL: <https://code.djangoproject.com/ticket/29800#comment:7>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/066.8656abaae2b6dbccbfcb3af931ebfd3a%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to