[New-bugs-announce] [issue43813] Denial of service on http.server module with large request method.
report at bugs.python.org
Mon Apr 12 09:17:08 EDT 2021
New submission from Mohammed Dief <mdaif1332 at gmail.com>:
- Hello there, 2 days ago i discovered a DoS on http.server in python that allows me to take any python http.server down using less than 1k requests. i reported it to PSRT but they said i should report it here since http.server isn't for production. so here's the issue, in server.py http.server library has a really big value on the validation. and check if the first line of the request (method /path HTTP/VERSION) have more than 65k characters inside of it using `len()` function.
- In this case, the user is able to provide a method with 65k characters long and the server will accept it, if you send one request with this number of characters inside of the request using cURL. you will notice that the server could handle it. but after creating a big loop of 1k requests with the same characters. the server was taken down and didn't response again since it was trying to process this amount of data.
- Such an attack could be used to take down any python server running using http.server module. but since it's not for production like the documentations said the attack surface isn't that wide.
- To proof this issue, you can use this command while running your server on port 8080 or any port you just need to modify the command: for i in $(python3 -c "print('A\n'*10000)"); do curl -X $(python3 -c "print('A'*10000)") 'http://localhost:8080/404' ; done
- Then the server should be taken down after many requests, also, i managed to fix this issue from my side by adding characters validation on the code to avoid interacting with the long data many times. should i submit it here. or should i create a PR? PS, my fix doesn't change the main requestline validation int.
title: Denial of service on http.server module with large request method.
versions: Python 3.6
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce