Facing the world with SimpleHTTPServer

Andrew Dalke adalke at mindspring.com
Tue Oct 19 01:10:50 CEST 2004


Jed Parsons wrote:
> So, before I ditch apache for the fun, all-python setup, are there any
> security concerns about using SimpleHTTPServer?
> Thanks for any advice/info,

I know it's open to denial of service attacks.

For example, if you give it a lot of headers, esp.
with long lines, then you can cause the server to
exhaust all memory.  Eventually.  Apache and the HTTP
protocol both have ways to limit the max header line
and the max number of headers received before giving
an error message.

If you're single threaded there's no timeout so
you can effectively make the machine freeze.  If
you're multi-threaded you can instead make the process
run out of available descriptors.

Of course Apache has the last problem too, but it
does allow timeouts on the total request time so
feeding it a character a second and it will eventually
drop the request.  I think.

				Andrew
				dalke at dalkescientific.com



More information about the Python-list mailing list