New submission from Muhammad Farhan <farhankhursheed2...@gmail.com>:
Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick. I am attaching a file named server.py download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i) import urllib.request request = urllib.request.Request('http://127.0.0.1:1338') response = urllib.request.urlopen(req, timeout=1) DOS limit: We can achieve DOS for unlimited time. How to fix? Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS. ---------- components: Library (Lib) files: server.py messages: 406220 nosy: haqsek2 priority: normal severity: normal status: open title: urllib http client vulnerable to DOS attack type: security versions: Python 3.10 Added file: https://bugs.python.org/file50436/server.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue45795> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com