[issue34866] CGI DOS vulnerability via long post list
New submission from Matthew Belisle : Copied from email to secur...@python.org: I have been doing memory profiling on a few python web frameworks and I noticed this issue in the cgi.FieldStorage class. $ python example.py Memory used: 523935744 bytes The problem is there is no easy way to limit the number of MiniFieldStorage objects created by FieldStorage, so it goes unchecked in many frameworks like pyramid, pylons, webapp2, and flask. The end result is that on these frameworks, a 9MB request body (gzipped down to 9KB) can chew up ~500MB of memory on the server which is enough to effectively DOS it. The obvious way to prevent this currently is to check the content-length header and fail if it exceeds some value. But that solution has a major shortcoming because many frameworks want to allow large payloads, sometimes up to 10MB, as long as they contain a reasonable number of fields. After talking with the secur...@python.org team and pylons dev team about it, we think the best solution is to add a max_num_fields param to the FieldStorage class, defaulting to None, which throws an error if max_num_fields is exceeded. -- components: Library (Lib) messages: 326831 nosy: Matthew Belisle priority: normal severity: normal status: open title: CGI DOS vulnerability via long post list type: security versions: Python 2.7, Python 3.4, Python 3.5, Python 3.6, Python 3.7, Python 3.8 ___ Python tracker <https://bugs.python.org/issue34866> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34866] CGI DOS vulnerability via long post list
Matthew Belisle added the comment: Sorry, looks like I forgot to attach example.py. Attaching now. -- Added file: https://bugs.python.org/file47861/example.py ___ Python tracker <https://bugs.python.org/issue34866> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34866] CGI DOS vulnerability via long post list
Change by Matthew Belisle : -- pull_requests: +9314 ___ Python tracker <https://bugs.python.org/issue34866> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35028] Off by one error in cgi.FieldStorage(max_num_fields)
Change by Matthew Belisle : -- keywords: +patch pull_requests: +9317 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue35028> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35028] Off by one error in cgi.FieldStorage(max_num_fields)
New submission from Matthew Belisle : The cgi.FieldStorage class added in https://github.com/python/cpython/pull/9660 has an off by one error in the logic for recursively nested objects. The problem is that sub_max_num_fields should be initialized outside of the while loop, not inside of it. Adding a unit test to cover this case. Note: This problem does not exist in the 2.7 backport in https://github.com/python/cpython/pull/9969. -- components: Library (Lib) messages: 328060 nosy: Matthew Belisle priority: normal severity: normal status: open title: Off by one error in cgi.FieldStorage(max_num_fields) type: behavior versions: Python 3.6, Python 3.7, Python 3.8 ___ Python tracker <https://bugs.python.org/issue35028> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35116] Doc/library entries for cgi.FieldStorage max_num_fields
New submission from Matthew Belisle : vstinner pointed out that cgi.FieldStorage max_num_fields needs documentation added to Doc/library. https://bugs.python.org/issue34866#msg328401 -- assignee: docs@python components: Documentation messages: 328937 nosy: Matthew Belisle, docs@python priority: normal severity: normal status: open title: Doc/library entries for cgi.FieldStorage max_num_fields type: enhancement versions: Python 3.6, Python 3.7, Python 3.8 ___ Python tracker <https://bugs.python.org/issue35116> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35116] Doc/library entries for cgi.FieldStorage max_num_fields
Change by Matthew Belisle : -- keywords: +patch pull_requests: +9560 stage: -> patch review ___ Python tracker <https://bugs.python.org/issue35116> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35116] Doc/library entries for cgi.FieldStorage max_num_fields
Change by Matthew Belisle : -- pull_requests: +9561 ___ Python tracker <https://bugs.python.org/issue35116> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue35116] Doc/library entries for cgi.FieldStorage max_num_fields
Change by Matthew Belisle : -- pull_requests: +9562 ___ Python tracker <https://bugs.python.org/issue35116> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue34866] CGI DOS vulnerability via long post list
Matthew Belisle added the comment: That makes sense Victor, I agree. Thanks for merging those PRs. -- ___ Python tracker <https://bugs.python.org/issue34866> ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
