This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: urllib http client vulnerable to DOS attack
Type: security Stage:
Components: Library (Lib) Versions: Python 3.10
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, haqsek2, orsenthil
Priority: normal Keywords:

Created on 2021-11-12 15:55 by haqsek2, last changed 2022-04-11 14:59 by admin.

Files
File name Uploaded Description Edit
server.py haqsek2, 2021-11-12 15:55 server.py file to start a evil server
max_time.png haqsek2, 2021-11-18 12:09
curl.png haqsek2, 2021-11-18 12:10
Messages (10)
msg406220 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-12 15:55
Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick.

I am attaching a file named server.py download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i)

import urllib.request
request = urllib.request.Request('http://127.0.0.1:1338')
response = urllib.request.urlopen(req, timeout=1)

DOS limit: We can achieve DOS for unlimited time.
 
How to fix?
Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS.
msg406349 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-15 11:57
Is any one going to respond?
msg406519 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2021-11-18 06:03
> Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS.

Interesting. I looked the server example.

Does clients like curl have something like this too?
msg406531 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-18 12:09
Yes, other clients like curl does not reset the timeout

See the attached screenshots for references.
msg406532 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-18 12:10
See the max_time.png and curl.png
msg406537 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-18 14:36
So, the idea is to make timeout for the whole operation and it should not reset in any case.
msg406543 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-11-18 16:01
Please don't post screenshots. Screenshots are neither accessible nor searchable. It's better to link to documentation and copy the relevant sentences here.
msg406556 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-18 17:13
Maximum time in seconds that you allow the whole operation to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0, this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision.

If this option is used several times, the last one will be used.

Examples:

 curl --max-time 10 https://example.com
 curl --max-time 2.92 https://example.com

Ref: 
https://curl.se/docs/manpage.html#-m
msg407047 - (view) Author: Muhammad Farhan (haqsek2) Date: 2021-11-26 13:26
Hi,
Hope all of you are doing good. Looks like you guys are not interested in this issue. Can you please provide me the source code for yhe urllib, I will fix it myself
msg407061 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2021-11-26 16:05
Hi Muhammad, 

I haven't gotten to this. urllib doesn't maintain a client state during multiple request / response.

The code is available here https://github.com/python/cpython/tree/main/Lib/urllib
History
Date User Action Args
2022-04-11 14:59:52adminsetgithub: 89953
2021-11-26 16:05:09orsenthilsetmessages: + msg407061
2021-11-26 13:26:24haqsek2setmessages: + msg407047
2021-11-18 17:13:32haqsek2setmessages: + msg406556
2021-11-18 16:01:08christian.heimessetnosy: + christian.heimes
messages: + msg406543
2021-11-18 14:36:19haqsek2setmessages: + msg406537
2021-11-18 12:10:19haqsek2setfiles: + curl.png

messages: + msg406532
2021-11-18 12:09:30haqsek2setfiles: + max_time.png

messages: + msg406531
2021-11-18 06:03:39orsenthilsetmessages: + msg406519
2021-11-17 21:31:51ned.deilysetnosy: + orsenthil
2021-11-15 11:57:58haqsek2setmessages: + msg406349
2021-11-12 15:55:25haqsek2create