urllib http client vulnerable to DOS attack

[blind-intruder]

BPO	45795
Nosy	@orsenthil, @tiran, @blind-intruder
Files	server.py: server.py file to start a evil server max_time.png curl.png

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = None
created_at = <Date 2021-11-12.15:55:25.359>
labels = ['type-security', 'library', '3.10']
title = 'urllib http client vulnerable to DOS attack'
updated_at = <Date 2021-11-26.16:05:09.328>
user = 'https://github.com/blind-intruder'

bugs.python.org fields:

activity = <Date 2021-11-26.16:05:09.328>
actor = 'orsenthil'
assignee = 'none'
closed = False
closed_date = None
closer = None
components = ['Library (Lib)']
creation = <Date 2021-11-12.15:55:25.359>
creator = 'haqsek2'
dependencies = []
files = ['50436', '50448', '50449']
hgrepos = []
issue_num = 45795
keywords = []
message_count = 10.0
messages = ['406220', '406349', '406519', '406531', '406532', '406537', '406543', '406556', '407047', '407061']
nosy_count = 3.0
nosy_names = ['orsenthil', 'christian.heimes', 'haqsek2']
pr_nums = []
priority = 'normal'
resolution = None
stage = None
status = 'open'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue45795'
versions = ['Python 3.10']

[blind-intruder]

Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick.

I am attaching a file named server.py download it and run it using latest version of python. After running it execute the following python code in python interactive mode. (python -i)

import urllib.request
request = urllib.request.Request('http://127.0.0.1:1338')
response = urllib.request.urlopen(req, timeout=1)

DOS limit: We can achieve DOS for unlimited time.

How to fix?
Implement a good logic for timeout in urllib.request.urlopen(url, timeout). Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS.

[blind-intruder]

Is any one going to respond?

[orsenthil]

Timeout value should not be reset after client receives a data(bytes), because it can easily be abused to achieve DOS.

Interesting. I looked the server example.

Does clients like curl have something like this too?

[blind-intruder]

Yes, other clients like curl does not reset the timeout

See the attached screenshots for references.

[blind-intruder]

See the max_time.png and curl.png

[blind-intruder]

So, the idea is to make timeout for the whole operation and it should not reset in any case.

[tiran]

Please don't post screenshots. Screenshots are neither accessible nor searchable. It's better to link to documentation and copy the relevant sentences here.

[blind-intruder]

Maximum time in seconds that you allow the whole operation to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0, this option accepts decimal values, but the actual timeout will decrease in accuracy as the specified timeout increases in decimal precision.

If this option is used several times, the last one will be used.

Examples:

curl --max-time 10 https://example.com
curl --max-time 2.92 https://example.com

Ref:
https://curl.se/docs/manpage.html#-m

[blind-intruder]

Hi,
Hope all of you are doing good. Looks like you guys are not interested in this issue. Can you please provide me the source code for yhe urllib, I will fix it myself