[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-10 Thread miss-islington 


miss-islington  added the comment:


New changeset 57038bcb24407a46e6d278d0ab4b6ad25bbf by Miss Islington (bot) 
in branch '3.7':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/57038bcb24407a46e6d278d0ab4b6ad25bbf


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-10 Thread miss-islington 


miss-islington  added the comment:


New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) 
in branch '3.6':
bpo-34576 warn users on security for http.server (GH-9720)
https://github.com/python/cpython/commit/3baee3b39765f5e8ec616b2b71b731b140486394


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-10 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +9179

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-10 Thread miss-islington 


Change by miss-islington :


--
pull_requests: +9177

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-10 Thread Senthil Kumaran 


Senthil Kumaran  added the comment:


New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran 
(Felipe Rodrigues) in branch 'master':
bpo-34576 warn users on security for http.server (#9720)
https://github.com/python/cpython/commit/1d26c72e6a9c5b28b27c158f2f196217707dbb0f


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-05 Thread Felipe Rodrigues 


Change by Felipe Rodrigues :


--
pull_requests: +9104

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2018-10-04 Thread Martin Panter 


Martin Panter  added the comment:

Issue 34576 was recently opened about adding a security warning.

--
resolution:  -> duplicate
stage:  -> resolved
status: open -> closed
superseder:  -> [EASY doc] http.server, SimpleHTTPServer: warn users on security

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2016-09-24 Thread Christian Heimes 

Changes by Christian Heimes :


--
assignee:  -> docs@python
components: +Documentation -Extension Modules
nosy: +docs@python
type: security -> enhancement
versions: +Python 3.7 -Python 3.2, Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2016-01-04 Thread Richard Clifford 

New submission from Richard Clifford:

The issue comes when there is a malformed HTTP request not ending in a new 
line, it causes the server to hang, not timeout and causes a DoS.

The request that I sent to the server was as follows:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n";

Which should have been:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n\r\n";

This causes a the application to await the second set of new-line sequences and 
hang until they are received which prevents any further connections from being 
made. 

I have just tested this against the latest versions of the library and I can 
supply a proof of concept code if that would be useful - just let me know.

A recommended fix would be to ensure that all HTTP requests are received in 
full and in the correct manor prior to being parsed.

--
components: Extension Modules
files: basehttpdos.c
messages: 257446
nosy: Richard Clifford
priority: normal
severity: normal
status: open
title: Denial of Service in SimpleHTTPServer and BaseHTTPServer
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41490/basehttpdos.c

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2016-01-04 Thread Martin Panter 

Martin Panter added the comment:

I expect the server _is_ waiting for the end of the headers before handling the 
response. The problem is if you do not send the blank line, the server cannot 
know if you have ended the headers or if there are more to come.

Perhaps you could set a socket timeout in the server. But an attacker could 
still send little bits of the header very slowly (called Slow Loris attack or 
something I think). I think a server robust against that sort of stuff would be 
out of scope for SimpleHTTPServer.

--
nosy: +martin.panter

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2016-01-04 Thread STINNER Victor 

STINNER Victor added the comment:

"I think a server robust against that sort of stuff would be out of scope for 
SimpleHTTPServer."

We can probably enhance SimpleHTTPServer but I agree that the server should 
remain simple. Maybe we should be more explicit in the documentation that the 
server requires to trust users?

--
nosy: +haypo

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

2016-01-04 Thread Senthil Kumaran 

Senthil Kumaran added the comment:

SimpleHTTPServer is never meant to be used in production.

I was of the understanding that we already inform users about it in the 
documentation, but I do not find any such note. Only in wsgiref's 
simple_server.py example, we state that in the module header
https://hg.python.org/cpython/file/tip/Lib/wsgiref/simple_server.py#l1

For SimpleHTTPServer, we could add a similar warning in docs.

"SimpleHTTPServer is meant for demo purposes and does not implement the 
stringent security checks needed of real HTTP server. We do not recommend using 
this module directly in production."

If an alternate wording is desired, please suggest in that in comments.

--
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com