New submission from Mohammed Dief <[email protected]>:
- Hello there, 2 days ago i discovered a DoS on http.server in python that
allows me to take any python http.server down using less than 1k requests. i
reported it to PSRT but they said i should report it here since http.server
isn't for production. so here's the issue, in server.py http.server library has
a really big value on the validation. and check if the first line of the
request (method /path HTTP/VERSION) have more than 65k characters inside of it
using `len()` function.
- In this case, the user is able to provide a method with 65k characters long
and the server will accept it, if you send one request with this number of
characters inside of the request using cURL. you will notice that the server
could handle it. but after creating a big loop of 1k requests with the same
characters. the server was taken down and didn't response again since it was
trying to process this amount of data.
- Such an attack could be used to take down any python server running using
http.server module. but since it's not for production like the documentations
said the attack surface isn't that wide.
- To proof this issue, you can use this command while running your server on
port 8080 or any port you just need to modify the command: for i in $(python3
-c "print('A\n'*10000)"); do curl -X $(python3 -c "print('A'*10000)")
'http://localhost:8080/404' ; done
- Then the server should be taken down after many requests, also, i managed to
fix this issue from my side by adding characters validation on the code to
avoid interacting with the long data many times. should i submit it here. or
should i create a PR? PS, my fix doesn't change the main requestline validation
int.
----------
messages: 390849
nosy: demonia
priority: normal
severity: normal
status: open
title: Denial of service on http.server module with large request method.
type: security
versions: Python 3.6
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue43813>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
