| msg257446 - (view) |
Author: Richard Clifford (Richard Clifford) |
Date: 2016-01-04 08:54 |
| The issue comes when there is a malformed HTTP request not ending in a new line, it causes the server to hang, not timeout and causes a DoS. The request that I sent to the server was as follows: const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n"; Which should have been: const char *headers = "GET / HTTP/1.1\r\nHost: localhost:8000\r\n\r\n"; This causes a the application to await the second set of new-line sequences and hang until they are received which prevents any further connections from being made. I have just tested this against the latest versions of the library and I can supply a proof of concept code if that would be useful - just let me know. A recommended fix would be to ensure that all HTTP requests are received in full and in the correct manor prior to being parsed. |
|
|
| msg257447 - (view) |
Author: Martin Panter (martin.panter) *  |
Date: 2016-01-04 09:28 |
| I expect the server _is_ waiting for the end of the headers before handling the response. The problem is if you do not send the blank line, the server cannot know if you have ended the headers or if there are more to come. Perhaps you could set a socket timeout in the server. But an attacker could still send little bits of the header very slowly (called Slow Loris attack or something I think). I think a server robust against that sort of stuff would be out of scope for SimpleHTTPServer. |
|
|
| msg257448 - (view) |
Author: STINNER Victor (vstinner) * |
Date: 2016-01-04 09:35 |
| "I think a server robust against that sort of stuff would be out of scope for SimpleHTTPServer." We can probably enhance SimpleHTTPServer but I agree that the server should remain simple. Maybe we should be more explicit in the documentation that the server requires to trust users? |
|
|
| msg257474 - (view) |
Author: Brett Cannon (brett.cannon) * |
Date: 2016-01-04 17:43 |
| A warning directive at the start of http.server about needing to trust users would work? |
|
|
| msg257517 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2016-01-05 05:30 |
| SimpleHTTPServer is never meant to be used in production. I was of the understanding that we already inform users about it in the documentation, but I do not find any such note. Only in wsgiref's simple_server.py example, we state that in the module header https://hg.python.org/cpython/file/tip/Lib/wsgiref/simple_server.py#l1 For SimpleHTTPServer, we could add a similar warning in docs. "SimpleHTTPServer is meant for demo purposes and does not implement the stringent security checks needed of real HTTP server. We do not recommend using this module directly in production." If an alternate wording is desired, please suggest in that in comments. |
|
|
| msg327087 - (view) |
Author: Martin Panter (martin.panter) * |
Date: 2018-10-04 21:20 |
| Issue 34576 was recently opened about adding a security warning. |
|
|
| msg327505 - (view) |
Author: Senthil Kumaran (orsenthil) * |
Date: 2018-10-11 02:43 |
| New changeset 1d26c72e6a9c5b28b27c158f2f196217707dbb0f by Senthil Kumaran (Felipe Rodrigues) in branch 'master': bpo-34576 warn users on security for http.server (#9720) https://github.com/python/cpython/commit/1d26c72e6a9c5b28b27c158f2f196217707dbb0f |
|
|
| msg327510 - (view) |
Author: miss-islington (miss-islington) |
Date: 2018-10-11 03:31 |
| New changeset 3baee3b39765f5e8ec616b2b71b731b140486394 by Miss Islington (bot) in branch '3.6': bpo-34576 warn users on security for http.server (GH-9720) https://github.com/python/cpython/commit/3baee3b39765f5e8ec616b2b71b731b140486394 |
|
|
| msg327513 - (view) |
Author: miss-islington (miss-islington) |
Date: 2018-10-11 03:55 |
| New changeset 57038bcb24407abbbb46e6d278d0ab4b6ad25bbf by Miss Islington (bot) in branch '3.7': bpo-34576 warn users on security for http.server (GH-9720) https://github.com/python/cpython/commit/57038bcb24407abbbb46e6d278d0ab4b6ad25bbf |
|
|