[Python-bugs-list] [ python-Bugs-443120 ] denial-of-service attack to cgi.py
noreply@sourceforge.net
noreply@sourceforge.net
Sun, 22 Jul 2001 18:48:40 -0700
Bugs item #443120, was opened at 2001-07-20 09:13
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=443120&group_id=5470
Category: Python Library
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Guido van Rossum (gvanrossum)
Assigned to: Nobody/Anonymous (nobody)
Summary: denial-of-service attack to cgi.py
Initial Comment:
I got this in the mail:
"""
Subject: Bug in cgi.py, denial-of-service possible
From: Richard Jones <richard@bizarsoftware.com.au>
To: guido@python.org, support@digicool.com
Date: Fri, 20 Jul 2001 17:43:15 +1000
The inner workings of cgi.py are still a mystery to me,
so I can't offer a
patch. Sorry.
The following code will effect a denial-of-service
against any server running
cgi.py (and hence Zope).
import httplib
params = '\n'*10
h = httplib.HTTP('localhost', 8080)
h.putrequest('POST', '/')
h.putheader('Content-type', 'multipart/form-data')
h.putheader('Content-length', str(len(params)))
h.endheaders()
h.send(params)
The key here is the missing boundary from the
content-type header. From my
observation, it seems that cgi.py defaults the boundary
to "" which means
that it matches boundaries without progressing through
the input - creating
new FieldStorage instances for each match. The result
is all available RAM
gobbled up eventually. I recommend testing this on a
system on which you can
easily kill the server process.
Richard
--
Richard Jones
richard@bizarsoftware.com.au
Senior Software Developer, Bizar Software
(www.bizarsoftware.com.au)
"""
----------------------------------------------------------------------
Comment By: Richard Jones (richard)
Date: 2001-07-22 18:48
Message:
Logged In: YES
user_id=6405
This is a patch - it's against a patched cgi.py (I've
applied the fix for "too many open files"). RFC 2046
requires a boundary argument for the multipart content
types (http://www.ietf.org/rfc/rfc2046.txt, 5.1.1, second
paragraph). This patch does fix the given exploit.
*** /usr/lib/python2.1/cgi.py Tue Jul 10 14:29:37 2001
--- cgi.py Mon Jul 23 11:37:45 2001
***************
*** 514,519 ****
--- 514,521 ----
if ctype == 'application/x-www-form-urlencoded':
self.read_urlencoded()
elif ctype[:10] == 'multipart/':
+ if not self.innerboundary:
+ raise ValueError, 'multipart message
with no boundary'
self.read_multi(environ, keep_blank_values,
strict_parsing)
else:
self.read_single()
----------------------------------------------------------------------
You can respond by visiting:
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=443120&group_id=5470