Title: OOM a potential denial of service in the CGI server on Windows · Issue #119452 · python/cpython · GitHub
Open Graph Title: OOM a potential denial of service in the CGI server on Windows · Issue #119452 · python/cpython
X Title: OOM a potential denial of service in the CGI server on Windows · Issue #119452 · python/cpython
Description: When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying...
Open Graph Description: When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subpr...
X Description: When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subpr...
Opengraph URL: https://github.com/python/cpython/issues/119452
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"OOM a potential denial of service in the CGI server on Windows","articleBody":"When `http.server.CGIHTTPRequestHandler` on Windows (and other platforms without `fork()`) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying SocketIO allocates the amount of memory specified in the `Content-Length` header before actual reading the data, so a small request with incorrect `Content-Length` can cause consumption of the large amount of memory and CPU time and can be used in the DOS attack on the server.\r\n\n\n\u003c!-- gh-linked-prs --\u003e\n### Linked PRs\n* gh-119455\n* gh-142130\n* gh-142131\n* gh-142132\n* gh-142133\n* gh-142176\n* gh-142178\n* gh-142180\n* gh-142181\n* gh-142184\n* gh-142185\n* gh-142216\n* gh-142296\n* gh-142297\n* gh-142298\n* gh-142299\n\u003c!-- /gh-linked-prs --\u003e\n","author":{"url":"https://github.com/serhiy-storchaka","@type":"Person","name":"serhiy-storchaka"},"datePublished":"2024-05-23T08:29:06.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":6},"url":"https://github.com/119452/cpython/issues/119452"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:2619429f-636b-e634-9709-8fa90083f6d7 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D4F2:FC5B9:189AC1E:21A4FC1:6964BADA |
| html-safe-nonce | 4326dd4032299f9999e99874ba18cbf753ac64aa94bbcf70234e1c7c17a8aac3 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJENEYyOkZDNUI5OjE4OUFDMUU6MjFBNEZDMTo2OTY0QkFEQSIsInZpc2l0b3JfaWQiOiIzNzI1NTk2OTc4MTI0NzMzMTQ2IiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0= |
| visitor-hmac | 4fad7fe5bdda4a09f1ecd7d15b1a676aa1921ad55e6d40b629e29f5e90a6570c |
| hovercard-subject-tag | issue:2312289876 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/python/cpython/119452/issue_layout |
| twitter:image | https://opengraph.githubassets.com/ef868ae291f0031fefcbf7630431b9a8529af3ded2ed9af4ccd9d86a76b6640c/python/cpython/issues/119452 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/ef868ae291f0031fefcbf7630431b9a8529af3ded2ed9af4ccd9d86a76b6640c/python/cpython/issues/119452 |
| og:image:alt | When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subpr... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | serhiy-storchaka |
| hostname | github.com |
| expected-hostname | github.com |
| None | 9917306ebdf5f9f30d13ede7b74f08a45b5f12b401ce3e4bfabd895ea0ca0ada |
| turbo-cache-control | no-preview |
| go-import | github.com/python/cpython git https://github.com/python/cpython.git |
| octolytics-dimension-user_id | 1525981 |
| octolytics-dimension-user_login | python |
| octolytics-dimension-repository_id | 81598961 |
| octolytics-dimension-repository_nwo | python/cpython |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 81598961 |
| octolytics-dimension-repository_network_root_nwo | python/cpython |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 020ceddb26807bba62dcfb410905847d63243ff5 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width