Message406220
Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick.
I am attaching a file named server.py download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i)
import urllib.request
request = urllib.request.Request('http://127.0.0.1:1338')
response = urllib.request.urlopen(req, timeout=1)
DOS limit: We can achieve DOS for unlimited time.
How to fix?
Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS. |
|
Date |
User |
Action |
Args |
2021-11-12 15:55:25 | haqsek2 | set | recipients:
+ haqsek2 |
2021-11-12 15:55:25 | haqsek2 | set | messageid: <1636732525.38.0.485782952474.issue45795@roundup.psfhosted.org> |
2021-11-12 15:55:25 | haqsek2 | link | issue45795 messages |
2021-11-12 15:55:25 | haqsek2 | create | |
|