guangli dong added the comment:
i am intersting in "stdlib security", do you has any recommended info about
this topic?
what i know is "https://python-security.readthedocs.io"; and "cve list".
--
___
Python tra
guangli dong added the comment:
@Gregory P. Smith
yes, i agree that there are many other ways to make "urllib" or "httplib" such
http client hang, because "timeout" is not global read timeout, this "timeout"
has effects when every "read socket&
guangli dong added the comment:
@Christian Heimes
this bug is about "urllib" client library, the key point is not "http.server"
module.
--
___
Python tracker
<https://bug
guangli dong added the comment:
can you assign "cve" for this security bug?
i will review the patch later.
--
___
Python tracker
<https://bugs.python.o
New submission from guangli dong :
if uncompress file twice to the same dir, attacker can "write any content to
any file on the host"".
poc code like below:
```
import tarfile
dir_name = "/tmp/anything"
file1_name = "/tmp/a.tar.gz" # ln -sv /tmp/a test_
New submission from guangli dong :
if a client request a http/https/ftp service which is controlled by attacker,
attacker can make this client hang forever, event client has set "timeout"
argument.
maybe this client also will consume more and more memory. i does not test on
this
