New submission from Christian Koßmann: Python's email parser consumes a lot of resources (CPU and memory) when parsing emails with a large amount of MIME parts. Attackers can probably exploit this behavior to perform denial-of-service (DoS) attacks.
A potentially malicious email has the following structure: ============================================= From: sen...@example.com To: recipi...@example.com Subject: Mutlipart DoS Attack MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="n" This is a multi-part message in MIME format. --n b --n ... a lot of parts here... --n b --n-- ============================================= On my machine parsing an email with 1 million MIME parts takes around 20 seconds and with 10 million MIME parts over 3 minutes. In my opinion, the number of MIME parts should be limited to some reasonable value to mitigate this kind of attack. The bug report contains a Python script with a proof-of-concept. ---------- components: email files: multipart-dos-attack.py messages: 302060 nosy: barry, ckossmann, r.david.murray priority: normal severity: normal status: open title: Potential DoS Attack when Parsing Email with Huge Number of MIME Parts type: security versions: Python 3.5, Python 3.6 Added file: https://bugs.python.org/file47138/multipart-dos-attack.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31449> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
