This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: BaseHTTPServer uses deprecated mimetools.Message
Type: Stage:
Components: Library (Lib) Versions:
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: benjamin.peterson, hdiogenes, kousu, paulj
Priority: normal Keywords:

Created on 2005-04-11 04:26 by paulj, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (4)
msg60725 - (view) Author: Paul Jimenez (paulj) Date: 2005-04-11 04:26
BaseHTTPServer used a deprecated (as of 2.3) class:
mimetools.Message. also uses it, but that's
getting fixed.  If only there was just a single API for
writing webapps.
msg60726 - (view) Author: Nick Guenther (kousu) Date: 2006-01-15 12:03
Logged In: YES 

There's a DoS attack possible here because of it, actually.
mimetools.Message locks up if it never sees '\r\n\r\n'. Thus
to crash a BaseHTTPServer all one must do is:
echo "GET / HTTP/1.1" > nc host port.
msg68550 - (view) Author: Humberto Diógenes (hdiogenes) * Date: 2008-06-21 21:59
This was solved in Python 3.0: http.server now uses email.parser (issue2848), which is not 
vulnerable to the DoS attack mentioned by Nick.

Should we backport these changes to 2.6? As HTTPMessage's base class was changed to 
email.message, additional work would be necessary to maintain API compatibility (ie.: 
implementing an interface similar to mimetools.Message in HTTPMessage).
msg68599 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-06-23 00:37
Let's save ourselves the trouble...
Date User Action Args
2022-04-11 14:56:10adminsetgithub: 41844
2008-06-23 00:37:01benjamin.petersonsetstatus: open -> closed
resolution: out of date
messages: + msg68599
nosy: + benjamin.peterson
2008-06-21 21:59:11hdiogenessetnosy: + hdiogenes
messages: + msg68550
2005-04-11 04:26:39pauljcreate