subject:"\[issue31449\] Potential DoS Attack when Parsing Email with Huge Number of MIME Parts"

[issue31449] Potential DoS Attack when Parsing Email with Huge Number of MIME Parts

2017-09-13 Thread R. David Murray


R. David Murray added the comment:

10 million mime parts?  That sounds like the kind of thing rfc 1870 was 
designed to address in a more general fashion (ie: the SMTP server should be 
enforcing maximum message size if you are worried about DOS attacks).

1 million = 3 seconds, 10 million = "over three minutes" sounds like a linear 
increase, so I don't see that there is anything special about "mime parts" in 
this scenario.

I have no objection to PRs making the parsing more efficient, though :)

--
nosy: +christian.heimes

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31449] Potential DoS Attack when Parsing Email with Huge Number of MIME Parts

2017-09-13 Thread Christian Koßmann


New submission from Christian Koßmann:

Python's email parser consumes a lot of resources (CPU and memory) when parsing 
emails with a large amount of MIME parts. Attackers can probably exploit this 
behavior to perform denial-of-service (DoS) attacks.

A potentially malicious email has the following structure:

=
From: sen...@example.com
To: recipi...@example.com
Subject: Mutlipart DoS Attack
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n"

This is a multi-part message in MIME format.
--n

b

--n

... a lot of parts here...

--n

b

--n--
=

On my machine parsing an email with 1 million MIME parts takes around 20 
seconds and with 10 million MIME parts over 3 minutes.

In my opinion, the number of MIME parts should be limited to some reasonable 
value to mitigate this kind of attack. The bug report contains a Python script 
with a proof-of-concept.

--
components: email
files: multipart-dos-attack.py
messages: 302060
nosy: barry, ckossmann, r.david.murray
priority: normal
severity: normal
status: open
title: Potential DoS Attack when Parsing Email with Huge Number of MIME Parts
type: security
versions: Python 3.5, Python 3.6
Added file: https://bugs.python.org/file47138/multipart-dos-attack.py

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31449] Potential DoS Attack when Parsing Email with Huge Number of MIME Parts

[issue31449] Potential DoS Attack when Parsing Email with Huge Number of MIME Parts

2 matches

Site Navigation

Mail list logo

Footer information