Gregory P. Smith <g...@krypto.org> added the comment:

If anyone wants a CVE for it, that's up to them.  This bug is in the CPython 
http.client module which is what urllib uses for http/https.  I'd rate it low 
severity.  A malicious server can hold a http connection from this library open 
as a network traffic sink.  There are other ways to do that.  ex: Just use omit 
a content-length header in a server response and start streaming an infinite 
response.

The difference in this case being that since the data is thrown away, it isn't 
going to result in memory exhaustion and kill the unfortunate process as trying 
to read an infinite response would.  That's the primary DoS potential from my 
point of view.

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue44022>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to