➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2021-11-12 15:55 by haqsek2, last changed 2022-04-11 14:59 by admin.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| server.py | haqsek2, 2021-11-12 15:55 | server.py file to start a evil server | ||
| max_time.png | haqsek2, 2021-11-18 12:09 | |||
| curl.png | haqsek2, 2021-11-18 12:10 | |||
| Messages (10) | |||
|---|---|---|---|
| msg406220 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-12 15:55 | |
Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick.
I am attaching a file named server.py download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i)
import urllib.request
request = urllib.request.Request('http://127.0.0.1:1338')
response = urllib.request.urlopen(req, timeout=1)
DOS limit: We can achieve DOS for unlimited time.
How to fix?
Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS.
|
|||
| msg406349 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-15 11:57 | |
Is any one going to respond? |
|||
| msg406519 - (view) | Author: Senthil Kumaran (orsenthil) *  |
Date: 2021-11-18 06:03 | |
> Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS. Interesting. I looked the server example. Does clients like curl have something like this too? |
|||
| msg406531 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-18 12:09 | |
Yes, other clients like curl does not reset the timeout See the attached screenshots for references. |
|||
| msg406532 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-18 12:10 | |
See the max_time.png and curl.png |
|||
| msg406537 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-18 14:36 | |
So, the idea is to make timeout for the whole operation and it should not reset in any case. |
|||
| msg406543 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2021-11-18 16:01 | |
Please don't post screenshots. Screenshots are neither accessible nor searchable. It's better to link to documentation and copy the relevant sentences here. |
|||
| msg406556 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-18 17:13 | |
Maximum time in seconds that you allow the whole operation to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0, this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision. If this option is used several times, the last one will be used. Examples: curl --max-time 10 https://example.com curl --max-time 2.92 https://example.com Ref: https://curl.se/docs/manpage.html#-m |
|||
| msg407047 - (view) | Author: Muhammad Farhan (haqsek2) | Date: 2021-11-26 13:26 | |
Hi, Hope all of you are doing good. Looks like you guys are not interested in this issue. Can you please provide me the source code for yhe urllib, I will fix it myself |
|||
| msg407061 - (view) | Author: Senthil Kumaran (orsenthil) * |
Date: 2021-11-26 16:05 | |
Hi Muhammad, I haven't gotten to this. urllib doesn't maintain a client state during multiple request / response. The code is available here https://github.com/python/cpython/tree/main/Lib/urllib |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:52 | admin | set | github: 89953 |
| 2021-11-26 16:05:09 | orsenthil | set | messages: + msg407061 |
| 2021-11-26 13:26:24 | haqsek2 | set | messages: + msg407047 |
| 2021-11-18 17:13:32 | haqsek2 | set | messages: + msg406556 |
| 2021-11-18 16:01:08 | christian.heimes | set | nosy:
+ christian.heimes messages: + msg406543 |
| 2021-11-18 14:36:19 | haqsek2 | set | messages: + msg406537 |
| 2021-11-18 12:10:19 | haqsek2 | set | files:
+ curl.png messages: + msg406532 |
| 2021-11-18 12:09:30 | haqsek2 | set | files:
+ max_time.png messages: + msg406531 |
| 2021-11-18 06:03:39 | orsenthil | set | messages: + msg406519 |
| 2021-11-17 21:31:51 | ned.deily | set | nosy:
+ orsenthil |
| 2021-11-15 11:57:58 | haqsek2 | set | messages: + msg406349 |
| 2021-11-12 15:55:25 | haqsek2 | create | |