Author gregory.p.smith
Recipients gen-xu, gregory.p.smith, leveryd
Date 2021-05-05.20:12:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1620245528.28.0.994786592173.issue44022@roundup.psfhosted.org>
In-reply-to
Content
The bug: Our http client can get stuck infinitely reading len(line) < 64k lines after receiving a '100 Continue' http response.  So yes, this could lead to our client being a bandwidth sink for anyone in control of a server.

Clear issue: That's a denial of network bandwidth and the denial of service in terms of CPU needed to process read and skip such lines.  The infinite lines are size bounded and are not buffered so there is no memory based DoS.

Maybe issue: If a the underlying socket has a timeout set on it, it can be used to prevent the timeout from triggering by sending a line more often than the timeout.  this is a denial of service by making a http client connection that an author may have assumed would timeout based on their socket.setdefaulttimeout() settings hang forever.

I expect there are plenty of other ways to accomplish the latter in our http client code though.  Ex: A regular response with a huge content length where one byte is transmitted occasionally could also effectively accomplish that.  The stdlib http stack doesn't have its own overall http transaction timeout as a feature.
History
Date User Action Args
2021-05-05 20:12:08gregory.p.smithsetrecipients: + gregory.p.smith, leveryd, gen-xu
2021-05-05 20:12:08gregory.p.smithsetmessageid: <1620245528.28.0.994786592173.issue44022@roundup.psfhosted.org>
2021-05-05 20:12:08gregory.p.smithlinkissue44022 messages
2021-05-05 20:12:08gregory.p.smithcreate