CGI DOS vulnerability via long post list #79047
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee = None closed_at = <Date 2018-10-30.21:30:20.920> created_at = <Date 2018-10-01.21:23:27.958> labels = ['type-security', '3.8', '3.7', 'library'] title = 'CGI DOS vulnerability via long post list' updated_at = <Date 2018-10-30.21:30:20.918> user = 'https://github.com/matthewbelisle-wf'
activity = <Date 2018-10-30.21:30:20.918> actor = 'vstinner' assignee = 'none' closed = True closed_date = <Date 2018-10-30.21:30:20.920> closer = 'vstinner' components = ['Library (Lib)'] creation = <Date 2018-10-01.21:23:27.958> creator = 'Matthew Belisle' dependencies =  files = ['47861'] hgrepos =  issue_num = 34866 keywords = ['patch'] message_count = 11.0 messages = ['326831', '327476', '328036', '328037', '328038', '328401', '328402', '328950', '328951', '328953', '328954'] nosy_count = 4.0 nosy_names = ['vstinner', 'miss-islington', 'xtreak', 'Matthew Belisle'] pr_nums = ['9660', '9965', '9966', '9969'] priority = 'normal' resolution = 'fixed' stage = 'resolved' status = 'closed' superseder = None type = 'security' url = 'https://bugs.python.org/issue34866' versions = ['Python 2.7', 'Python 3.6', 'Python 3.7', 'Python 3.8']
The text was updated successfully, but these errors were encountered:
Copied from email to email@example.com:
I have been doing memory profiling on a few python web frameworks and I noticed this issue in the cgi.FieldStorage class.
$ python example.py Memory used: 523935744 bytes
The problem is there is no easy way to limit the number of MiniFieldStorage objects created by FieldStorage, so it goes unchecked in many frameworks like pyramid, pylons, webapp2, and flask. The end result is that on these frameworks, a 9MB request body (gzipped down to 9KB) can chew up ~500MB of memory on the server which is enough to effectively DOS it. The obvious way to prevent this currently is to check the content-length header and fail if it exceeds some value. But that solution has a major shortcoming because many frameworks want to allow large payloads, sometimes up to 10MB, as long as they contain a reasonable number of fields.
After talking with the firstname.lastname@example.org