Created on 2005-04-11 04:26 by paulj, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Messages (4) |
|
|
| msg60725 - (view) |
Author: Paul Jimenez (paulj) |
Date: 2005-04-11 04:26 |
| BaseHTTPServer used a deprecated (as of 2.3) class: mimetools.Message. cgi.py also uses it, but that's getting fixed. If only there was just a single API for writing webapps. |
|
|
| msg60726 - (view) |
Author: Nick Guenther (kousu) |
Date: 2006-01-15 12:03 |
| Logged In: YES user_id=705725 There's a DoS attack possible here because of it, actually. mimetools.Message locks up if it never sees '\r\n\r\n'. Thus to crash a BaseHTTPServer all one must do is: echo "GET / HTTP/1.1" > nc host port. |
|
|
| msg68550 - (view) |
Author: Humberto DiĆ³genes (hdiogenes) * |
Date: 2008-06-21 21:59 |
| This was solved in Python 3.0: http.server now uses email.parser (), which is not vulnerable to the DoS attack mentioned by Nick. Should we backport these changes to 2.6? As HTTPMessage's base class was changed to email.message, additional work would be necessary to maintain API compatibility (ie.: implementing an interface similar to mimetools.Message in HTTPMessage). |
|
|
| msg68599 - (view) |
Author: Benjamin Peterson (benjamin.peterson) *  |
Date: 2008-06-23 00:37 |
| Let's save ourselves the trouble... |
|
|
| History |
|
|
|
| Date |
User |
Action |
Args |
| 2022-04-11 14:56:10 |
admin |
set |
github: 41844 |
| 2008-06-23 00:37:01 |
benjamin.peterson |
set |
status: open -> closedresolution: out of datemessages: + nosy: + benjamin.peterson |
| 2008-06-21 21:59:11 |
hdiogenes |
set |
nosy: + hdiogenesmessages: + |
| 2005-04-11 04:26:39 |
paulj |
create |
|