[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

miss-islington added the comment: New changeset 57038bcb24407a46e6d278d0ab4b6ad25bbf by Miss Islington (bot) in branch '3.7': bpo-34576 warn users on security for http.server (GH-9720) https://github.com/python/cpython/commit/57038bcb24407a46e6d278d0ab4b6ad25bbf --

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

miss-islington added the comment: New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) in branch '3.6': bpo-34576 warn users on security for http.server (GH-9720) https://github.com/python/cpython/commit/3baee3b39765f5e8ec616b2b71b731b140486394 -- nosy:

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Change by miss-islington : -- pull_requests: +9179 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Change by miss-islington : -- pull_requests: +9177 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Senthil Kumaran added the comment: New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran (Felipe Rodrigues) in branch 'master': bpo-34576 warn users on security for http.server (#9720) https://github.com/python/cpython/commit/1d26c72e6a9c5b28b27c158f2f196217707dbb0f

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Change by Felipe Rodrigues : -- pull_requests: +9104 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Martin Panter added the comment: Issue 34576 was recently opened about adding a security warning. -- resolution: -> duplicate stage: -> resolved status: open -> closed superseder: -> [EASY doc] http.server, SimpleHTTPServer: warn users on security

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Changes by Christian Heimes : -- assignee: -> docs@python components: +Documentation -Extension Modules nosy: +docs@python type: security -> enhancement versions: +Python 3.7 -Python 3.2, Python 3.3, Python 3.4 ___ Python tracker

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

New submission from Richard Clifford: The issue comes when there is a malformed HTTP request not ending in a new line, it causes the server to hang, not timeout and causes a DoS. The request that I sent to the server was as follows: const char *headers = "GET / HTTP/1.1\r\nHost:

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Martin Panter added the comment: I expect the server _is_ waiting for the end of the headers before handling the response. The problem is if you do not send the blank line, the server cannot know if you have ended the headers or if there are more to come. Perhaps you could set a socket

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

STINNER Victor added the comment: "I think a server robust against that sort of stuff would be out of scope for SimpleHTTPServer." We can probably enhance SimpleHTTPServer but I agree that the server should remain simple. Maybe we should be more explicit in the documentation that the server

[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer

Senthil Kumaran added the comment: SimpleHTTPServer is never meant to be used in production. I was of the understanding that we already inform users about it in the documentation, but I do not find any such note. Only in wsgiref's simple_server.py example, we state that in the module header