subject:"\[issue34866\] CGI DOS vulnerability via long post list"

[issue34866] CGI DOS vulnerability via long post list

2018-10-30 Thread STINNER Victor



STINNER Victor  added the comment:

Thanks Matthew Belisle for the nice security counter-measure!

--
resolution:  -> fixed
stage: patch review -> resolved
status: open -> closed
versions:  -Python 3.4, Python 3.5

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-30 Thread Matthew Belisle



Matthew Belisle  added the comment:

That makes sense Victor, I agree. Thanks for merging those PRs.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-30 Thread STINNER Victor



STINNER Victor  added the comment:

I suggest to not add the new parameter to 3.4 and 3.5 branches, even if it's a 
security fix. The fix requires to *use* the parameter, and I don't expect 
applications on Python 3.4 and 3.5 to be modified to use it.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-30 Thread STINNER Victor



STINNER Victor  added the comment:


New changeset bc6f74a520112d25ef40324e3de4e8187ff2835d by Victor Stinner 
(matthewbelisle-wf) in branch '2.7':
bpo-34866: Add max_num_fields to cgi.FieldStorage (GH-9660) (GH-9969)
https://github.com/python/cpython/commit/bc6f74a520112d25ef40324e3de4e8187ff2835d


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-24 Thread STINNER Victor



STINNER Victor  added the comment:

For 3.7 an 3.6 changes, you have to specify the minor Python version (3.7.x and 
3.6.x) in which the change has been introduce. Same comment for Python 2.7.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-24 Thread STINNER Victor



STINNER Victor  added the comment:

> https://github.com/python/cpython/commit/209144831b0a19715bda3bd72b14a3e6192d9cc1

This commit adds a new max_num_fields=None parameter to FieldStorage, 
parse_qs() and parse_qsl(): you must update the documentation in Doc/library/ 
as well.

--
nosy: +vstinner

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-19 Thread Matthew Belisle



Change by Matthew Belisle :


--
pull_requests: +9314

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-19 Thread miss-islington



miss-islington  added the comment:


New changeset 322a914965368ffd7e4f97ede50b351fdf48d870 by Miss Islington (bot) 
in branch '3.6':
bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
https://github.com/python/cpython/commit/322a914965368ffd7e4f97ede50b351fdf48d870


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-19 Thread miss-islington



miss-islington  added the comment:


New changeset a66f279a1381dd5c1c27232ccf9f210d575e1dcc by Miss Islington (bot) 
in branch '3.7':
bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
https://github.com/python/cpython/commit/a66f279a1381dd5c1c27232ccf9f210d575e1dcc


--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-19 Thread miss-islington



Change by miss-islington :


--
pull_requests: +9310

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-19 Thread miss-islington



Change by miss-islington :


--
pull_requests: +9309

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-19 Thread miss-islington



miss-islington  added the comment:


New changeset 209144831b0a19715bda3bd72b14a3e6192d9cc1 by Miss Islington (bot) 
(matthewbelisle-wf) in branch 'master':
bpo-34866: Adding max_num_fields to cgi.FieldStorage (GH-9660)
https://github.com/python/cpython/commit/209144831b0a19715bda3bd72b14a3e6192d9cc1


--
nosy: +miss-islington

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-10 Thread Matthew Belisle



Matthew Belisle  added the comment:

Sorry, looks like I forgot to attach example.py. Attaching now.

--
Added file: https://bugs.python.org/file47861/example.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-02 Thread Karthikeyan Singaravelan



Change by Karthikeyan Singaravelan :


--
nosy: +xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-01 Thread Roundup Robot



Change by Roundup Robot :


--
keywords: +patch
pull_requests: +9053
stage:  -> patch review

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

2018-10-01 Thread Matthew Belisle



New submission from Matthew Belisle :

Copied from email to secur...@python.org:

I have been doing memory profiling on a few python web frameworks and I noticed 
this issue in the cgi.FieldStorage class.

$ python example.py
Memory used: 523935744 bytes

The problem is there is no easy way to limit the number of MiniFieldStorage 
objects created by FieldStorage, so it goes unchecked in many frameworks like 
pyramid, pylons, webapp2, and flask. The end result is that on these 
frameworks, a 9MB request body (gzipped down to 9KB) can chew up ~500MB of 
memory on the server which is enough to effectively DOS it. The obvious way to 
prevent this currently is to check the content-length header and fail if it 
exceeds some value. But that solution has a major shortcoming because many 
frameworks want to allow large payloads, sometimes up to 10MB, as long as they 
contain a reasonable number of fields.

After talking with the secur...@python.org
 team and pylons dev team about it, we think the best solution is to add a 
max_num_fields param to the FieldStorage class, defaulting to None, which 
throws an error if max_num_fields is exceeded.

--
components: Library (Lib)
messages: 326831
nosy: Matthew Belisle
priority: normal
severity: normal
status: open
title: CGI DOS vulnerability via long post list
type: security
versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

[issue34866] CGI DOS vulnerability via long post list

16 matches

Site Navigation

Mail list logo

Footer information