On Thu, Jun 7, 2018 at 10:13 PM, Steven D'Aprano <steve+comp.lang.pyt...@pearwood.info> wrote: > On Thu, 07 Jun 2018 19:47:03 +1000, Chris Angelico wrote: > >> To be fair, it's somewhat unideal behaviour - I would prefer to see an >> HTTP 500 come back if the server crashes - but I can't see that that's a >> security problem. > > You think that being able to remotely crash a webserver isn't a security > issue? > > > If Denial Of Service isn't a security issue in your eyes, what would it > take? "Armed men burst into your house and shoot you"? > > *only half a wink* >
By "crash" I mean that the request handler popped out an exception. The correct behaviour is to send back a 500 and go back to handling requests; with the extremely simple server given in that example, it fails to send back the 500, but it DOES go back to handling requests. So it's not a DOS. In any real server environment, this wouldn't have any significant impact; even in this trivially simple server, the only way you could hurt the server is by spamming enough of these that it runs out of file handles for sockets or something. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
