On Aug 28, 11:21 pm, dave b <db.pub.m...@gmail.com> wrote: > >>> So obviously my proposed attack is to simply say "content length is > >>> tiny" and "this file is actually HUGE". > >>> I hope I missed something :) I don't really want this to occur ... > > >> A decent web server such as Apache (under mod_wsgi) will stop reading > >> the original content at the content length specified in the request. > >> Thus not possible to force more than content length down to the > >> application level. > > >> Graham > > > The documentation and code in django suggests that this is not the > > case. So lets assume we are not using apache but another httpd of some > > sort - then this problem will be present. > >http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4seems to > > say otherwise from my reading. > > Just to clarify this - I meant that the http content length header > item is *not* required - as > perhttp://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.4(also see > 4.4.2), so I do not believe that apache would do what you said :) - > there is a default limit in a apache of around 2gb for the attackers > file to reach though.
What you are talking about is chunked transfer encoding. This is the only way you can not have a content length. Chunked transfer encoding on request content isn't well supported. Specifically, chunked transfer encoding is not supported by: mod_python FASTCGI SCGI AJP CGI WSGI So, basically every standard way that Django can be hosted doesn't support chunked transfer encoding on request content. What you should instead see is an immediate HTTP_LENGTH_REQUIRED error response from web server. That said, some pure Python WSGI servers, eg., wsgiref in Python standard library, may be broken and don't properly error when no content length. However, for WSGI applications at least, they will be broken if they try and read more than content length anyway, where it takes on value of 0 if not specified, because reading more than content length is a violation of the WSGI specification. All up, I would suggest you are getting worked up over nothing. BTW, have you actually tried to test your hypothesis to see whether it is correct? If you have, post what server arrangement you are using. Graham -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
