bpo-43813: Fixing DOS on http.server by limiting the characters getting logged. #26223
Conversation
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA). CLA MissingOur records indicate the following people have not signed the CLA: For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. If you have recently signed the CLA, please wait at least one business day You can check yourself to see if the CLA has been received. Thanks again for the contribution, we look forward to reviewing it! |
|
@DEMON1A can you add some tests to it? |
|
Hey @jaswdr, i'm kinda new to this stuff, what do you mean with tests like test cases vulnerable to this? and where should i add it? |
|
@DEMON1A you need to add tests for your changes |
|
This PR is stale because it has been open for 30 days with no activity. |
github-actions
bot
removed
the
stale
Due to the large characters limit on the first line of the request, Remote users was able to submit a huge method name and endpoint on the request that they can keep sending until python uses a large amount of memory until it freezes that could be achieved on a strong machine with almost 1000 requests.
The logging part was the most part that's using memory during the attack. so I think limiting the data getting passed into the output functions:
log_requestandlog_messagethat uses:sys.stderr.writewill be more fine to keep http.server handling the requests without stop.The fix limits the request method characters getting logged into 10 characters only. if the request method is 60k
Acharacters for example. it will just print out:AAAAAAAAAA...that doesn't consume memory.Before the fix the memory usage kept increasing. after it the memory usage doesn't pass 6.0% using 5k requests.
https://bugs.python.org/issue43813