Message302060
Python's email parser consumes a lot of resources (CPU and memory) when parsing emails with a large amount of MIME parts. Attackers can probably exploit this behavior to perform denial-of-service (DoS) attacks.
A potentially malicious email has the following structure:
=============================================
From: sender@example.com
To: recipient@example.com
Subject: Mutlipart DoS Attack
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n"
This is a multi-part message in MIME format.
--n
b
--n
... a lot of parts here...
--n
b
--n--
=============================================
On my machine parsing an email with 1 million MIME parts takes around 20 seconds and with 10 million MIME parts over 3 minutes.
In my opinion, the number of MIME parts should be limited to some reasonable value to mitigate this kind of attack. The bug report contains a Python script with a proof-of-concept. |
|
Date |
User |
Action |
Args |
2017-09-13 12:19:54 | ckossmann | set | recipients:
+ ckossmann, barry, r.david.murray |
2017-09-13 12:19:54 | ckossmann | set | messageid: <1505305194.38.0.647391715895.issue31449@psf.upfronthosting.co.za> |
2017-09-13 12:19:54 | ckossmann | link | issue31449 messages |
2017-09-13 12:19:54 | ckossmann | create | |
|