Facing the world with SimpleHTTPServer
Andrew Dalke
adalke at mindspring.com
Mon Oct 18 19:10:50 EDT 2004
Jed Parsons wrote:
> So, before I ditch apache for the fun, all-python setup, are there any
> security concerns about using SimpleHTTPServer?
> Thanks for any advice/info,
I know it's open to denial of service attacks.
For example, if you give it a lot of headers, esp.
with long lines, then you can cause the server to
exhaust all memory. Eventually. Apache and the HTTP
protocol both have ways to limit the max header line
and the max number of headers received before giving
an error message.
If you're single threaded there's no timeout so
you can effectively make the machine freeze. If
you're multi-threaded you can instead make the process
run out of available descriptors.
Of course Apache has the last problem too, but it
does allow timeouts on the total request time so
feeding it a character a second and it will eventually
drop the request. I think.
Andrew
dalke at dalkescientific.com
More information about the Python-list
mailing list