classification
Title: httpserver request length
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.1, Python 3.2, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: pitrou, rosslagerwall
Priority: normal Keywords: patch

Created on 2010-12-16 04:48 by rosslagerwall, last changed 2010-12-16 17:12 by pitrou. This issue is now closed.

Files
File name Uploaded Description Edit
httpserver_py3k.patch rosslagerwall, 2010-12-16 04:48 py3k patch to limit length + unittest
httpserver_py3k_v2.patch rosslagerwall, 2010-12-16 16:20 updated to use threading & not hardcode port
Messages (4)
msg124106 - (view) Author: Ross Lagerwall (rosslagerwall) (Python committer) Date: 2010-12-16 04:48
BaseHTTPRequestHandler in http.server does not limit the length of the request line so a malicious client can cause the server to run out of memory with a malicious request.

This patch limits the length to 64K (like Apache) and sends Error 414 if it exceeds this.
msg124135 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-12-16 15:29
Thanks for the patch. First, there's no need to use multiprocessing here. Threading would be sufficient. Second, you shouldn't use an explicit port number, but instead let the server bind itself to whatever port is available (I think 0 using as the port number achieves that).
msg124137 - (view) Author: Ross Lagerwall (rosslagerwall) (Python committer) Date: 2010-12-16 16:20
OK, here is an updated patch using threading & 0 as a port number.
msg124139 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2010-12-16 17:12
It turns out the test could be simplified a lot by reusing the existing infrastructure. I've committed the modified patch in r87317 (3.2), r87318 (3.1) and r87320 (2.7). Thank you!
History
Date User Action Args
2010-12-16 17:12:33pitrousetstatus: open -> closed
nosy: pitrou, rosslagerwall
messages: + msg124139

resolution: fixed
stage: resolved
2010-12-16 16:20:34rosslagerwallsetfiles: + httpserver_py3k_v2.patch
nosy: pitrou, rosslagerwall
messages: + msg124137
2010-12-16 15:29:28pitrousetnosy: pitrou, rosslagerwall
messages: + msg124135
versions: + Python 3.1, Python 2.7
2010-12-16 04:53:55rosslagerwallsetnosy: + pitrou
2010-12-16 04:48:10rosslagerwallcreate