[issue43813] Denial of service on http.server module with large request method.

[Mohammed Dief]

Mohammed Dief  added the comment:

Hey there, sorry for the delay. i just submitted the fix on a PR to python 
source code.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43813] Denial of service on http.server module with large request method.

[Mohammed Dief]

Change by Mohammed Dief :


--
keywords: +patch
pull_requests: +24840
stage:  -> patch review
pull_request: https://github.com/python/cpython/pull/26223

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43813] Denial of service on http.server module with large request method.

[Jonathan Schweder]

Jonathan Schweder  added the comment:

@demonia you are more than welcome to send a PR, sent it and add a reference to 
this issue, so it could be reviewed.

--
nosy: +jaswdr

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43813] Denial of service on http.server module with large request method.

[Raymond Hettinger]

Change by Raymond Hettinger :


--
nosy: +rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue43813] Denial of service on http.server module with large request method.

[Mohammed Dief]

New submission from Mohammed Dief :

- Hello there, 2 days ago i discovered a DoS on http.server in python that 
allows me to take any python http.server down using less than 1k requests. i 
reported it to PSRT but they said i should report it here since http.server 
isn't for production. so here's the issue, in server.py http.server library has 
a really big value on the validation. and check if the first line of the 
request (method /path HTTP/VERSION) have more than 65k characters inside of it 
using `len()` function.

- In this case, the user is able to provide a method with 65k characters long 
and the server will accept it, if you send one request with this number of 
characters inside of the request using cURL. you will notice that the server 
could handle it. but after creating a big loop of 1k requests with the same 
characters. the server was taken down and didn't response again since it was 
trying to process this amount of data.

- Such an attack could be used to take down any python server running using 
http.server module. but since it's not for production like the documentations 
said the attack surface isn't that wide.

- To proof this issue, you can use this command while running your server on 
port 8080 or any port you just need to modify the command: for i in $(python3 
-c "print('A\n'*1)"); do curl -X $(python3 -c "print('A'*1)") 
'http://localhost:8080/404' ; done

- Then the server should be taken down after many requests, also, i managed to 
fix this issue from my side by adding characters validation on the code to 
avoid interacting with the long data many times. should i submit it here. or 
should i create a PR? PS, my fix doesn't change the main requestline validation 
int.

--
messages: 390849
nosy: demonia
priority: normal
severity: normal
status: open
title: Denial of service on http.server module with large request method.
type: security
versions: Python 3.6

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com