[issue45795] urllib http client vulnerable to DOS attack

2021-11-26 Thread Senthil Kumaran 


Senthil Kumaran  added the comment:

Hi Muhammad, 

I haven't gotten to this. urllib doesn't maintain a client state during 
multiple request / response.

The code is available here 
https://github.com/python/cpython/tree/main/Lib/urllib

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-26 Thread Muhammad Farhan 


Muhammad Farhan  added the comment:

Hi,
Hope all of you are doing good. Looks like you guys are not interested in this 
issue. Can you please provide me the source code for yhe urllib, I will fix it 
myself

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan 


Muhammad Farhan  added the comment:

Maximum time in seconds that you allow the whole operation to take. This is 
useful for preventing your batch jobs from hanging for hours due to slow 
networks or links going down. Since 7.32.0, this option accepts decimal values, 
but the actual timeout will decrease in accuracy as the specified timeout 
increases in decimal precision.

If this option is used several times, the last one will be used.

Examples:

 curl --max-time 10 https://example.com
 curl --max-time 2.92 https://example.com

Ref: 
https://curl.se/docs/manpage.html#-m

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Christian Heimes 


Christian Heimes  added the comment:

Please don't post screenshots. Screenshots are neither accessible nor 
searchable. It's better to link to documentation and copy the relevant 
sentences here.

--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan 


Muhammad Farhan  added the comment:

So, the idea is to make timeout for the whole operation and it should not reset 
in any case.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan 


Muhammad Farhan  added the comment:

See the max_time.png and curl.png

--
Added file: https://bugs.python.org/file50449/curl.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan 


Muhammad Farhan  added the comment:

Yes, other clients like curl does not reset the timeout

See the attached screenshots for references.

--
Added file: https://bugs.python.org/file50448/max_time.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-17 Thread Senthil Kumaran 


Senthil Kumaran  added the comment:

> Timeout value should not be reset after client receives a data(bytes), 
> because it can easily be abused to achieve DOS.

Interesting. I looked the server example.

Does clients like curl have something like this too?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-17 Thread Ned Deily 


Change by Ned Deily :


--
nosy: +orsenthil

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-15 Thread Muhammad Farhan 


Muhammad Farhan  added the comment:

Is any one going to respond?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue45795] urllib http client vulnerable to DOS attack

2021-11-12 Thread Muhammad Farhan 


New submission from Muhammad Farhan :

Hi, During my recent tests I have discovered that the urllib http client 
(urllib.request.urlopen()) is vulnerable to DOS attack using a simple but 
effective trick.

I am attaching a file named server.py download it and run it using latest 
version of python. After running it execute the following python code in python 
interactive mode. (python -i)

import urllib.request
request = urllib.request.Request('http://127.0.0.1:1338')
response = urllib.request.urlopen(req, timeout=1)

DOS limit: We can achieve DOS for unlimited time.
 
How to fix?
Implement a good logic for timeout in urllib.request.urlopen(url, timeout). 
Timeout value should not be reset after client receives a data(bytes), because 
it can easily be abused to achieve DOS.

--
components: Library (Lib)
files: server.py
messages: 406220
nosy: haqsek2
priority: normal
severity: normal
status: open
title: urllib http client vulnerable to DOS attack
type: security
versions: Python 3.10
Added file: https://bugs.python.org/file50436/server.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com