This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Richard Clifford
Recipients Richard Clifford
Date 2016-01-04.08:54:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1451897650.58.0.64883073344.issue26005@psf.upfronthosting.co.za>
In-reply-to
Content 
The issue comes when there is a malformed HTTP request not ending in a new line, it causes the server to hang, not timeout and causes a DoS.

The request that I sent to the server was as follows:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n";

Which should have been:
const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n\r\n";

This causes a the application to await the second set of new-line sequences and hang until they are received which prevents any further connections from being made. 

I have just tested this against the latest versions of the library and I can supply a proof of concept code if that would be useful - just let me know.

A recommended fix would be to ensure that all HTTP requests are received in full and in the correct manor prior to being parsed.
History
Date User Action Args
2016-01-04 08:54:10Richard Cliffordsetrecipients: + Richard Clifford
2016-01-04 08:54:10Richard Cliffordsetmessageid: <1451897650.58.0.64883073344.issue26005@psf.upfronthosting.co.za>
2016-01-04 08:54:10Richard Cliffordlinkissue26005 messages
2016-01-04 08:54:10Richard Cliffordcreate