[issue26005] Denial of Service in SimpleHTTPServer and BaseHTTPServer
Martin Panter
report at bugs.python.org
Mon Jan 4 04:28:06 EST 2016
Martin Panter added the comment:
I expect the server _is_ waiting for the end of the headers before handling the response. The problem is if you do not send the blank line, the server cannot know if you have ended the headers or if there are more to come.
Perhaps you could set a socket timeout in the server. But an attacker could still send little bits of the header very slowly (called Slow Loris attack or something I think). I think a server robust against that sort of stuff would be out of scope for SimpleHTTPServer.
----------
nosy: +martin.panter
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26005>
_______________________________________
More information about the Python-bugs-list
mailing list