[issue28669] Math Library Dos Attack
Honor
report at bugs.python.org
Fri Nov 11 11:40:12 EST 2016
Honor added the comment:
I will take a video on this subject.
Then I will say the end result.
Thanks a lot.
On Fri, Nov 11, 2016 at 7:27 PM, Mark Dickinson <report at bugs.python.org>
wrote:
>
> Mark Dickinson added the comment:
>
> Thanks. The solution here is "Don't do that, then." That is, don't allow
> this code to execute on your server in the first place.
>
> At a guess, you've got a multithreaded server that's executing the given
> code on one thread, while continuing to listen for connections on another.
> Now the problem is not only that the power computation takes a long time,
> but also that the slow part all happens in a single bytecode instruction,
> so the GIL never gets released while the power operation is in progress,
> and no other threads can run.
>
> In theory it might be possible to rework the power operation to release
> the GIL now and then, but even if we did that there are plenty of other
> examples in the language that are going to have a similar effect (running
> for a long time without releasing the GIL). Changing all those isn't
> particularly practical.
>
> IOW, I'm afraid this isn't a problem with the core Python language; it's a
> problem with how you're using it: you want to think very carefully before
> allowing arbitrary untrusted code to execute on your server (if that's what
> you're doing), for reasons exactly like this one.
>
> ----------
>
> _______________________________________
> Python tracker <report at bugs.python.org>
> <http://bugs.python.org/issue28669>
> _______________________________________
>
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue28669>
_______________________________________
More information about the Python-bugs-list
mailing list