Message 326831 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Matthew Belisle
Recipients	Matthew Belisle
Date	2018-10-01.21:23:27
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1538429007.97.0.545547206417.issue34866@psf.upfronthosting.co.za>
In-reply-to

Content
Copied from email to security@python.org: I have been doing memory profiling on a few python web frameworks and I noticed this issue in the cgi.FieldStorage class. $ python example.py Memory used: 523935744 bytes The problem is there is no easy way to limit the number of MiniFieldStorage objects created by FieldStorage, so it goes unchecked in many frameworks like pyramid, pylons, webapp2, and flask. The end result is that on these frameworks, a 9MB request body (gzipped down to 9KB) can chew up ~500MB of memory on the server which is enough to effectively DOS it. The obvious way to prevent this currently is to check the content-length header and fail if it exceeds some value. But that solution has a major shortcoming because many frameworks want to allow large payloads, sometimes up to 10MB, as long as they contain a reasonable number of fields. After talking with the security@python.org team and pylons dev team about it, we think the best solution is to add a max_num_fields param to the FieldStorage class, defaulting to None, which throws an error if max_num_fields is exceeded.

Copied from email to security@python.org:

I have been doing memory profiling on a few python web frameworks and I noticed this issue in the cgi.FieldStorage class.

$ python example.py
Memory used: 523935744 bytes

The problem is there is no easy way to limit the number of MiniFieldStorage objects created by FieldStorage, so it goes unchecked in many frameworks like pyramid, pylons, webapp2, and flask. The end result is that on these frameworks, a 9MB request body (gzipped down to 9KB) can chew up ~500MB of memory on the server which is enough to effectively DOS it. The obvious way to prevent this currently is to check the content-length header and fail if it exceeds some value. But that solution has a major shortcoming because many frameworks want to allow large payloads, sometimes up to 10MB, as long as they contain a reasonable number of fields.

After talking with the security@python.org
 team and pylons dev team about it, we think the best solution is to add a max_num_fields param to the FieldStorage class, defaulting to None, which throws an error if max_num_fields is exceeded.

History
Date	User	Action	Args
2018-10-01 21:23:28	Matthew Belisle	set	recipients: + Matthew Belisle
2018-10-01 21:23:27	Matthew Belisle	set	messageid: <1538429007.97.0.545547206417.issue34866@psf.upfronthosting.co.za>
2018-10-01 21:23:27	Matthew Belisle	link	issue34866 messages
2018-10-01 21:23:27	Matthew Belisle	create