This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author methane
Recipients Mark.Shannon, christian.heimes, erlendaasland, gvanrossum, lemburg, methane, rhettinger, serhiy.storchaka, vstinner
Date 2021-10-07.09:49:07
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1633600147.94.0.470520821987.issue29410@roundup.psfhosted.org>
In-reply-to
Content 
> I know that it's not a popular opinion, but I don't think that this denial of service (DoS) is important. IMO there are enough other ways to crash a server. Moreover, the initial attack vector was a HTTP request with tons of header lines. In the meanwhile, the Python http module was modified to put arbitrary limits on the number of HTTP headers and the maximum length of a single HTTP header.


Hash DoS is not only for HTTP headers. Everywhere creating dict from untrusted source can be attack vector.
For example, many API servers receive JSON as HTTP request body. Limiting HTTP header don't protect it.
History
Date User Action Args
2021-10-07 09:49:07methanesetrecipients: + methane, lemburg, gvanrossum, rhettinger, vstinner, christian.heimes, Mark.Shannon, serhiy.storchaka, erlendaasland
2021-10-07 09:49:07methanesetmessageid: <1633600147.94.0.470520821987.issue29410@roundup.psfhosted.org>
2021-10-07 09:49:07methanelinkissue29410 messages
2021-10-07 09:49:07methanecreate