[issue43813] Denial of service on http.server module with large request method.

Mon, 12 Apr 2021 06:17:40 -0700 


New submission from Mohammed Dief <mdaif1...@gmail.com>:

- Hello there, 2 days ago i discovered a DoS on http.server in python that 
allows me to take any python http.server down using less than 1k requests. i 
reported it to PSRT but they said i should report it here since http.server 
isn't for production. so here's the issue, in server.py http.server library has 
a really big value on the validation. and check if the first line of the 
request (method /path HTTP/VERSION) have more than 65k characters inside of it 
using `len()` function.

- In this case, the user is able to provide a method with 65k characters long 
and the server will accept it, if you send one request with this number of 
characters inside of the request using cURL. you will notice that the server 
could handle it. but after creating a big loop of 1k requests with the same 
characters. the server was taken down and didn't response again since it was 
trying to process this amount of data.

- Such an attack could be used to take down any python server running using 
http.server module. but since it's not for production like the documentations 
said the attack surface isn't that wide.

- To proof this issue, you can use this command while running your server on 
port 8080 or any port you just need to modify the command: for i in $(python3 
-c "print('A\n'*10000)"); do curl -X $(python3 -c "print('A'*10000)") 
'http://localhost:8080/404' ; done

- Then the server should be taken down after many requests, also, i managed to 
fix this issue from my side by adding characters validation on the code to 
avoid interacting with the long data many times. should i submit it here. or 
should i create a PR? PS, my fix doesn't change the main requestline validation 
int.

----------
messages: 390849
nosy: demonia
priority: normal
severity: normal
status: open
title: Denial of service on http.server module with large request method.
type: security
versions: Python 3.6

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue43813>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to