Hello EveryOne,

Payload : 12**62**6
Test script:

import math
math.log10(12**62**6)

Program is looping. I tested apache server and flask web framework.
Result:
Frozen in frost. Cpu usage : %90-99 , system runs but server shutdowns.

Author : Onur TAŞLIOĞLU

Please can you give more details about why you consider this a problem?

Yes, some computations take a long time. I fail to see why this is an issue.

Very very very long and the server unreachable all path.

On Fri, Nov 11, 2016 at 7:08 PM, Mark Dickinson <report@bugs.python.org>
wrote:

>
> Mark Dickinson added the comment:
>
> Please can you give more details about why you consider this a problem?
>
> Yes, some computations take a long time. I fail to see why this is an
> issue.
>
> ----------
> nosy: +mark.dickinson
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue28669>
> _______________________________________
>

Thanks. The solution here is "Don't do that, then." That is, don't allow this code to execute on your server in the first place.

At a guess, you've got a multithreaded server that's executing the given code on one thread, while continuing to listen for connections on another. Now the problem is not only that the power computation takes a long time, but also that the slow part all happens in a single bytecode instruction, so the GIL never gets released while the power operation is in progress, and no other threads can run.

In theory it might be possible to rework the power operation to release the GIL now and then, but even if we did that there are plenty of other examples in the language that are going to have a similar effect (running for a long time without releasing the GIL). Changing all those isn't particularly practical.

IOW, I'm afraid this isn't a problem with the core Python language; it's a problem with how you're using it: you want to think very carefully before allowing arbitrary untrusted code to execute on your server (if that's what you're doing), for reasons exactly like this one.

I will take a video on this subject.
Then I will say the end result.

Thanks a lot.

On Fri, Nov 11, 2016 at 7:27 PM, Mark Dickinson <report@bugs.python.org>
wrote:

>
> Mark Dickinson added the comment:
>
> Thanks. The solution here is "Don't do that, then." That is, don't allow
> this code to execute on your server in the first place.
>
> At a guess, you've got a multithreaded server that's executing the given
> code on one thread, while continuing to listen for connections on another.
> Now the problem is not only that the power computation takes a long time,
> but also that the slow part all happens in a single bytecode instruction,
> so the GIL never gets released while the power operation is in progress,
> and no other threads can run.
>
> In theory it might be possible to rework the power operation to release
> the GIL now and then, but even if we did that there are plenty of other
> examples in the language that are going to have a similar effect (running
> for a long time without releasing the GIL). Changing all those isn't
> particularly practical.
>
> IOW, I'm afraid this isn't a problem with the core Python language; it's a
> problem with how you're using it: you want to think very carefully before
> allowing arbitrary untrusted code to execute on your server (if that's what
> you're doing), for reasons exactly like this one.
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue28669>
> _______________________________________
>

I think this should be marked as "not a bug" as closed.

> Very very very long and the server unreachable all path.

If a server wants to allow users to run arbitrary code, a sandbox protecting the server must be used: limit CPU usage, limit total duration (time), etc.

"while 1: pass" is another simple snippet to eat server resources.

I agree, it's not a bug, it's a feature.