Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork33.7k
Open
Description
Whenhttp.server.CGIHTTPRequestHandler on Windows (and other platforms withoutfork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying SocketIO allocates the amount of memory specified in theContent-Length header before actual reading the data, so a small request with incorrectContent-Length can cause consumption of the large amount of memory and CPU time and can be used in the DOS attack on the server.
Linked PRs
- [3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server #119455
- [3.13] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142130
- [3.12] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142131
- [3.11] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142132
- [3.10] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142133
- [3.14] gh-119452: Block until data is read #142176
- [3.14] gh-119452: Remove select, skip 'truncated' test #142178
- [3.14] Try to fix the fix for gh-119452 #142180
- [3.14] gh-119452: Read/write CGI data using worker threads #142181
- [3.14] Revert "gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455)" #142184
- [3.13] Revert "gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) (GH-142130)" #142185
- [3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server #142216
- [3.13] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) #142296
- [3.12] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) #142297
- [3.11] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) #142298
- [3.10] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-142216) #142299
Metadata
Metadata
Assignees
Labels
Projects
Status
Todo