[issue16083] HTTPServer does not correctly handle bad headers
Terry J. Reedy added the comment: Is this really a security issue? If so, that should be explained. -- nosy: +terry.reedy ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Changes by Antoine Pitrou pit...@free.fr: -- nosy: +orsenthil ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Michele Orrù added the comment: Well, it is a security issue IMO, but not particularly harmful. But certainly that's not a RFC violation, since I'm not sending rfc-compliant packets.[0] The best an attacker could do is to DDoS the server running HTTPServer: tracebacks may open file descriptors and/or send emails to the sysadmin, and hence the attacker could flood the server opening new file descriptors, or the email box.[0] At least, this is the worst thing that came to my mind discussing with exarkun. [0] https://twistedmatrix.com/trac/ticket/6029 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
New submission from Michele Orrù: Sending a GET /\0 causes a TypeEror to be raised and the connection to be unexpectedly closed. $ python -m SimpleHTTPServer 8000 $ printf GET /\00 | nc localhost 8000 TypeError: must be encoded string without NULL bytes, not str I think raising a 400 error should be fine. Also, shouldn't the error message contain a repr(string)? [From http://corte.si/posts/code/pathod/pythonservers/index.html] -- components: Library (Lib) messages: 171435 nosy: maker priority: normal severity: normal status: open title: HTTPServer does not correctly handle bad headers type: security versions: Python 2.7, Python 3.1, Python 3.2, Python 3.3, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Changes by Christian Heimes li...@cheimes.de: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Changes by Michele Orrù maker...@gmail.com: -- nosy: +exarkun ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Changes by Michele Orrù maker...@gmail.com: -- nosy: -exarkun ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Michele Orrù added the comment: Note: on python3, the error is File /[...]/cpython/Lib/genericpath.py, line 41, in isdir st = os.stat(s) TypeError: embedded NUL character (same exception but different message.) I don't know where to start fixing, because the documentation for os.stat says Perform the equivalent of a stat() system call on the given path., which is not exactly the correct behavior in this case. I see that $ printf /\00 | xargs stat stat()s correctly the root directory, and $ printf /\00tmp | xargs stat stat()s still '/'. So, is this a bug of os.stat? Noising some coredevs. -- nosy: +eric.araujo, ezio.melotti, r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
R. David Murray added the comment: There has been some discussion about what the correct behavior of os.stat is, as well, I think. Alex Gaynor raised a question about testing our behavior when nulls are present. But clearly, if the desired behavior for url processing is different from the actual behavior of os.stat, you need to catch the error and turn it into the correct response. I don't think we can change this aspect of the behavior of os.stat for a bug fix, even if we decide we want to. -- nosy: +alex ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Changes by Michele Orrù maker...@gmail.com: Added file: http://bugs.python.org/file27337/issue16083.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue16083] HTTPServer does not correctly handle bad headers
Michele Orrù added the comment: Attaching tests that asserts the issue, and a patch for http.server. Works on tip. Should be ported also to 2.x? Note: that 'f = None' is unnecessary, maybe an isolated commit for that? -- keywords: +patch Added file: http://bugs.python.org/file27336/issue16083.tests.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue16083 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com