This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author haqsek2
Recipients haqsek2
Date 2021-11-12.15:55:25
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick.

I am attaching a file named download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i)

import urllib.request
request = urllib.request.Request('')
response = urllib.request.urlopen(req, timeout=1)

DOS limit: We can achieve DOS for unlimited time.
How to fix?
Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS.
Date User Action Args
2021-11-12 15:55:25haqsek2setrecipients: + haqsek2
2021-11-12 15:55:25haqsek2setmessageid: <>
2021-11-12 15:55:25haqsek2linkissue45795 messages
2021-11-12 15:55:25haqsek2create