Message 302060 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	ckossmann
Recipients	barry, ckossmann, r.david.murray
Date	2017-09-13.12:19:53
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1505305194.38.0.647391715895.issue31449@psf.upfronthosting.co.za>
In-reply-to

Content
Python's email parser consumes a lot of resources (CPU and memory) when parsing emails with a large amount of MIME parts. Attackers can probably exploit this behavior to perform denial-of-service (DoS) attacks. A potentially malicious email has the following structure: ============================================= From: sender@example.com To: recipient@example.com Subject: Mutlipart DoS Attack MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="n" This is a multi-part message in MIME format. --n b --n ... a lot of parts here... --n b --n-- ============================================= On my machine parsing an email with 1 million MIME parts takes around 20 seconds and with 10 million MIME parts over 3 minutes. In my opinion, the number of MIME parts should be limited to some reasonable value to mitigate this kind of attack. The bug report contains a Python script with a proof-of-concept.

Python's email parser consumes a lot of resources (CPU and memory) when parsing emails with a large amount of MIME parts. Attackers can probably exploit this behavior to perform denial-of-service (DoS) attacks.

A potentially malicious email has the following structure:

=============================================
From: sender@example.com
To: recipient@example.com
Subject: Mutlipart DoS Attack
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="n"

This is a multi-part message in MIME format.
--n

b

--n

... a lot of parts here...

--n

b

--n--
=============================================

On my machine parsing an email with 1 million MIME parts takes around 20 seconds and with 10 million MIME parts over 3 minutes.

In my opinion, the number of MIME parts should be limited to some reasonable value to mitigate this kind of attack. The bug report contains a Python script with a proof-of-concept.

History
Date	User	Action	Args
2017-09-13 12:19:54	ckossmann	set	recipients: + ckossmann, barry, r.david.murray
2017-09-13 12:19:54	ckossmann	set	messageid: <1505305194.38.0.647391715895.issue31449@psf.upfronthosting.co.za>
2017-09-13 12:19:54	ckossmann	link	issue31449 messages
2017-09-13 12:19:54	ckossmann	create