[issue34866] CGI DOS vulnerability via long post list

STINNER Victor added the comment: Thanks Matthew Belisle for the nice security counter-measure! -- resolution: -> fixed stage: patch review -> resolved status: open -> closed versions: -Python 3.4, Python 3.5 ___ Python tracker

[issue34866] CGI DOS vulnerability via long post list

Matthew Belisle added the comment: That makes sense Victor, I agree. Thanks for merging those PRs. -- ___ Python tracker ___ ___

[issue34866] CGI DOS vulnerability via long post list

STINNER Victor added the comment: I suggest to not add the new parameter to 3.4 and 3.5 branches, even if it's a security fix. The fix requires to *use* the parameter, and I don't expect applications on Python 3.4 and 3.5 to be modified to use it. --

[issue34866] CGI DOS vulnerability via long post list

STINNER Victor added the comment: New changeset bc6f74a520112d25ef40324e3de4e8187ff2835d by Victor Stinner (matthewbelisle-wf) in branch '2.7': bpo-34866: Add max_num_fields to cgi.FieldStorage (GH-9660) (GH-9969)

[issue34866] CGI DOS vulnerability via long post list

STINNER Victor added the comment: For 3.7 an 3.6 changes, you have to specify the minor Python version (3.7.x and 3.6.x) in which the change has been introduce. Same comment for Python 2.7. -- ___ Python tracker

[issue34866] CGI DOS vulnerability via long post list

STINNER Victor added the comment: > https://github.com/python/cpython/commit/209144831b0a19715bda3bd72b14a3e6192d9cc1 This commit adds a new max_num_fields=None parameter to FieldStorage, parse_qs() and parse_qsl(): you must update the documentation in Doc/library/ as well. --

[issue34866] CGI DOS vulnerability via long post list

Change by Matthew Belisle : -- pull_requests: +9314 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34866] CGI DOS vulnerability via long post list

miss-islington added the comment: New changeset 322a914965368ffd7e4f97ede50b351fdf48d870 by Miss Islington (bot) in branch '3.6': bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660) https://github.com/python/cpython/commit/322a914965368ffd7e4f97ede50b351fdf48d870 --

[issue34866] CGI DOS vulnerability via long post list

miss-islington added the comment: New changeset a66f279a1381dd5c1c27232ccf9f210d575e1dcc by Miss Islington (bot) in branch '3.7': bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660) https://github.com/python/cpython/commit/a66f279a1381dd5c1c27232ccf9f210d575e1dcc --

[issue34866] CGI DOS vulnerability via long post list

Change by miss-islington : -- pull_requests: +9310 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34866] CGI DOS vulnerability via long post list

Change by miss-islington : -- pull_requests: +9309 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34866] CGI DOS vulnerability via long post list

miss-islington added the comment: New changeset 209144831b0a19715bda3bd72b14a3e6192d9cc1 by Miss Islington (bot) (matthewbelisle-wf) in branch 'master': bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)

[issue34866] CGI DOS vulnerability via long post list

Matthew Belisle added the comment: Sorry, looks like I forgot to attach example.py. Attaching now. -- Added file: https://bugs.python.org/file47861/example.py ___ Python tracker

[issue34866] CGI DOS vulnerability via long post list

Change by Karthikeyan Singaravelan : -- nosy: +xtreak ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue34866] CGI DOS vulnerability via long post list

Change by Roundup Robot : -- keywords: +patch pull_requests: +9053 stage: -> patch review ___ Python tracker ___ ___

[issue34866] CGI DOS vulnerability via long post list

New submission from Matthew Belisle : Copied from email to secur...@python.org: I have been doing memory profiling on a few python web frameworks and I noticed this issue in the cgi.FieldStorage class. $ python example.py Memory used: 523935744 bytes The problem is there is no easy way to