pywsgi.py:Input._do_read isn't secure againt truncated and malformed POST requests

[denik]

What steps will reproduce the problem?

1. Launch dummy WSGI app that processes POST requests with "python gevent-server.py"
2. Inject truncated request with "nc localhost 80 -q 2 < hack-gevent-wsgi"

What is the expected output?

There should be some kind of exception or treatment that makes the app aware of the fact that the request is malformed.

What do you see instead?

Absolutely no warning from gevent.
Infinite loop when the app tries to read wsgi.input according to CONTENT_LENGTH

What version of the gevent are you using?

gevent-0.13.6

What version of libevent are you using?

On what operating system?

Debian and Ubuntu (GNU/Linux)

On what Python?

tested with 2.6 and 2.7

Notes:

The test app may look naive, but actually reproduces the behavior of many web frameworks.

There should be an exception that lets the app know that the POST or PUT request is malformed. This is a serious security issue.

Reported by bezverky.

---

earlier comments

schmir said, at 2011-10-14T21:20:48.000Z:

There's at least one code path that throws an IOError when receiving a truncated POST request. It happens when using chunked encoding and one of the chunks is truncated. I will implement the suggested behaviour (raising IOError) - unless Denis objects.

Denis?

maluke said, at 2011-10-14T21:23:15.000Z:

You can just borrow code from webob.

Denis.Bilenko said, at 2011-10-15T05:08:39.000Z:

I think raising IOError on truncated POST request is fine.

schmir said, at 2011-10-26T21:17:18.000Z:

IOErrors are now being raised by the Input class on truncated requests...