This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Denial of Service in SimpleHTTPServer and BaseHTTPServer
Type: enhancement Stage: resolved
Components: Documentation Versions: Python 3.7, Python 3.6, Python 3.5, Python 2.7
Status: closed Resolution: duplicate
Dependencies: Superseder: [EASY doc] http.server, SimpleHTTPServer: warn users on security
View: 34576
Assigned To: docs@python Nosy List: Richard Clifford, brett.cannon, docs@python, ethan.furman, martin.panter, miss-islington, orsenthil, vstinner
Priority: normal Keywords:

Created on 2016-01-04 08:54 by Richard Clifford, last changed 2022-04-11 14:58 by admin. This issue is now closed.

File name Uploaded Description Edit
basehttpdos.c Richard Clifford, 2016-01-04 08:54 SimpleHTTPServer Dos POC
Pull Requests
URL Status Linked Edit
PR 9720 merged fbidu, 2018-10-05 17:38
PR 9794 merged miss-islington, 2018-10-11 02:44
PR 9795 merged miss-islington, 2018-10-11 02:44
Messages (9)
msg257446 - (view) Author: Richard Clifford (Richard Clifford) Date: 2016-01-04 08:54
The issue comes when there is a malformed HTTP request not ending in a new line, it causes the server to hang, not timeout and causes a DoS.

The request that I sent to the server was as follows:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n";

Which should have been:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n\r\n";

This causes a the application to await the second set of new-line sequences and hang until they are received which prevents any further connections from being made. 

I have just tested this against the latest versions of the library and I can supply a proof of concept code if that would be useful - just let me know.

A recommended fix would be to ensure that all HTTP requests are received in full and in the correct manor prior to being parsed.
msg257447 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-01-04 09:28
I expect the server _is_ waiting for the end of the headers before handling the response. The problem is if you do not send the blank line, the server cannot know if you have ended the headers or if there are more to come.

Perhaps you could set a socket timeout in the server. But an attacker could still send little bits of the header very slowly (called Slow Loris attack or something I think). I think a server robust against that sort of stuff would be out of scope for SimpleHTTPServer.
msg257448 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2016-01-04 09:35
"I think a server robust against that sort of stuff would be out of scope for SimpleHTTPServer."

We can probably enhance SimpleHTTPServer but I agree that the server should remain simple. Maybe we should be more explicit in the documentation that the server requires to trust users?
msg257474 - (view) Author: Brett Cannon (brett.cannon) * (Python committer) Date: 2016-01-04 17:43
A warning directive at the start of http.server about needing to trust users would work?
msg257517 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2016-01-05 05:30
SimpleHTTPServer is never meant to be used in production.

I was of the understanding that we already inform users about it in the documentation, but I do not find any such note. Only in wsgiref's example, we state that in the module header

For SimpleHTTPServer, we could add a similar warning in docs.

"SimpleHTTPServer is meant for demo purposes and does not implement the stringent security checks needed of real HTTP server. We do not recommend using this module directly in production."

If an alternate wording is desired, please suggest in that in comments.
msg327087 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2018-10-04 21:20
Issue 34576 was recently opened about adding a security warning.
msg327505 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2018-10-11 02:43
New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran (Felipe Rodrigues) in branch 'master':
bpo-34576 warn users on security for http.server (#9720)
msg327510 - (view) Author: miss-islington (miss-islington) Date: 2018-10-11 03:31
New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) in branch '3.6':
bpo-34576 warn users on security for http.server (GH-9720)
msg327513 - (view) Author: miss-islington (miss-islington) Date: 2018-10-11 03:55
New changeset 57038bcb24407abbbb46e6d278d0ab4b6ad25bbf by Miss Islington (bot) in branch '3.7':
bpo-34576 warn users on security for http.server (GH-9720)
Date User Action Args
2022-04-11 14:58:25adminsetgithub: 70193
2018-10-11 03:55:37miss-islingtonsetmessages: + msg327513
2018-10-11 03:31:34miss-islingtonsetnosy: + miss-islington
messages: + msg327510
2018-10-11 02:44:28miss-islingtonsetpull_requests: + pull_request9179
2018-10-11 02:44:21miss-islingtonsetpull_requests: + pull_request9177
2018-10-11 02:43:46orsenthilsetmessages: + msg327505
2018-10-05 17:38:17fbidusetpull_requests: + pull_request9104
2018-10-04 21:20:11martin.pantersetstatus: open -> closed
superseder: [EASY doc] http.server, SimpleHTTPServer: warn users on security
messages: + msg327087

resolution: duplicate
stage: resolved
2016-09-24 19:54:37christian.heimessetversions: + Python 3.7, - Python 3.2, Python 3.3, Python 3.4
nosy: + docs@python

assignee: docs@python
components: + Documentation, - Extension Modules
type: security -> enhancement
2016-01-05 05:30:14orsenthilsetnosy: + orsenthil
messages: + msg257517
2016-01-04 18:10:14ethan.furmansetnosy: + ethan.furman
2016-01-04 17:43:41brett.cannonsetnosy: + brett.cannon
messages: + msg257474
2016-01-04 09:35:07vstinnersetnosy: + vstinner
messages: + msg257448
2016-01-04 09:28:06martin.pantersetnosy: + martin.panter
messages: + msg257447
2016-01-04 08:54:10Richard Cliffordcreate