[New-bugs-announce] [issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer
Richard Clifford
report at bugs.python.org
Mon Jan 4 03:54:10 EST 2016
New submission from Richard Clifford:
The issue comes when there is a malformed HTTP request not ending in a new line, it causes the server to hang, not timeout and causes a DoS.
The request that I sent to the server was as follows:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n";
Which should have been:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n\r\n";
This causes a the application to await the second set of new-line sequences and hang until they are received which prevents any further connections from being made.
I have just tested this against the latest versions of the library and I can supply a proof of concept code if that would be useful - just let me know.
A recommended fix would be to ensure that all HTTP requests are received in full and in the correct manor prior to being parsed.
----------
components: Extension Modules
files: basehttpdos.c
messages: 257446
nosy: Richard Clifford
priority: normal
severity: normal
status: open
title: Denial of Service in SimpleHTTPServer and BaseHTTPServer
type: security
versions: Python 2.7, Python 3.2, Python 3.3, Python 3.4, Python 3.5, Python 3.6
Added file: http://bugs.python.org/file41490/basehttpdos.c
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26005>
_______________________________________
More information about the New-bugs-announce
mailing list