classification
Title: BaseHTTPServer uses deprecated mimetools.Message
Type: Stage:
Components: Library (Lib) Versions:
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, hdiogenes, kousu, paulj
Priority: normal Keywords:

Created on 2005-04-11 04:26 by paulj, last changed 2008-06-23 00:37 by benjamin.peterson. This issue is now closed.

Messages (4)
msg60725 - (view) Author: Paul Jimenez (paulj) Date: 2005-04-11 04:26
BaseHTTPServer used a deprecated (as of 2.3) class:
mimetools.Message.  cgi.py also uses it, but that's
getting fixed.  If only there was just a single API for
writing webapps.
msg60726 - (view) Author: Nick Guenther (kousu) Date: 2006-01-15 12:03
Logged In: YES 
user_id=705725

There's a DoS attack possible here because of it, actually.
mimetools.Message locks up if it never sees '\r\n\r\n'. Thus
to crash a BaseHTTPServer all one must do is:
echo "GET / HTTP/1.1" > nc host port.
msg68550 - (view) Author: Humberto DiĆ³genes (hdiogenes) * Date: 2008-06-21 21:59
This was solved in Python 3.0: http.server now uses email.parser (issue2848), which is not 
vulnerable to the DoS attack mentioned by Nick.

Should we backport these changes to 2.6? As HTTPMessage's base class was changed to 
email.message, additional work would be necessary to maintain API compatibility (ie.: 
implementing an interface similar to mimetools.Message in HTTPMessage).
msg68599 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-06-23 00:37
Let's save ourselves the trouble...
History
Date User Action Args
2008-06-23 00:37:01benjamin.petersonsetstatus: open -> closed
resolution: out of date
messages: + msg68599
nosy: + benjamin.peterson
2008-06-21 21:59:11hdiogenessetnosy: + hdiogenes
messages: + msg68550
2005-04-11 04:26:39pauljcreate