OOM vulnerability in the CGI server on Windows

python / cpython

The Python programming language

https://www.python.org/

Other

60.94k stars 29.41k forks source link

OOM vulnerability in the CGI server on Windows #119452

Open serhiy-storchaka opened 1 month ago

serhiy-storchaka commented 1 month ago

When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying SocketIO allocates the amount of memory specified in the Content-Length header before actual reading the data, so a small request with incorrect Content-Length can cause consumption of the large amount of memory and CPU time and can be used in the DOS attack on the server.

Linked PRs

gh-119455

picnixz commented 1 month ago

Correct me if I'm wrong, but the incriminated lines are the following right:

https://github.com/python/cpython/blob/c85e3526736d1cf8226686fdf4f5117e105a7b13/Lib/http/server.py#L1226-L1227

If so, could I perhaps take on this one? (I never directly contributed to CPython so I think I can take this one to setup everything that's needed, unless you are already working on it).

serhiy-storchaka commented 1 month ago

Thank you for volunteering @picnixz, but I already have a solution. I have been somewhat delayed in publishing it because I discovered other problem: the large body was truncated on Windows, because SocketIO.read() is unbuffered and can return a partial data.

picnixz commented 1 month ago

No worries! I think you are much faster than me on that since I'm not really familiar with the http and IO-related codebase.