[issue45795] urllib http client vulnerable to DOS attack
Muhammad Farhan added the comment: Hi, Hope all of you are doing good. Looks like you guys are not interested in this issue. Can you please provide me the source code for yhe urllib, I will fix it myself -- ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue45795] urllib http client vulnerable to DOS attack
Muhammad Farhan added the comment: Maximum time in seconds that you allow the whole operation to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0, this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision. If this option is used several times, the last one will be used. Examples: curl --max-time 10 https://example.com curl --max-time 2.92 https://example.com Ref: https://curl.se/docs/manpage.html#-m -- ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue45795] urllib http client vulnerable to DOS attack
Muhammad Farhan added the comment: So, the idea is to make timeout for the whole operation and it should not reset in any case. -- ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue45795] urllib http client vulnerable to DOS attack
Muhammad Farhan added the comment: See the max_time.png and curl.png -- Added file: https://bugs.python.org/file50449/curl.png ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue45795] urllib http client vulnerable to DOS attack
Muhammad Farhan added the comment: Yes, other clients like curl does not reset the timeout See the attached screenshots for references. -- Added file: https://bugs.python.org/file50448/max_time.png ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue45795] urllib http client vulnerable to DOS attack
Muhammad Farhan added the comment: Is any one going to respond? -- ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue45795] urllib http client vulnerable to DOS attack
New submission from Muhammad Farhan : Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick. I am attaching a file named server.py download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i) import urllib.request request = urllib.request.Request('http://127.0.0.1:1338') response = urllib.request.urlopen(req, timeout=1) DOS limit: We can achieve DOS for unlimited time. How to fix? Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS. -- components: Library (Lib) files: server.py messages: 406220 nosy: haqsek2 priority: normal severity: normal status: open title: urllib http client vulnerable to DOS attack type: security versions: Python 3.10 Added file: https://bugs.python.org/file50436/server.py ___ Python tracker <https://bugs.python.org/issue45795> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com