[issue45795] urllib http client vulnerable to DOS attack

2021-11-26 Thread Senthil Kumaran
Senthil Kumaran added the comment: Hi Muhammad, I haven't gotten to this. urllib doesn't maintain a client state during multiple request / response. The code is available here https://github.com/python/cpython/tree/main/Lib/urllib -- ___ Python

[issue45795] urllib http client vulnerable to DOS attack

2021-11-26 Thread Muhammad Farhan
Muhammad Farhan added the comment: Hi, Hope all of you are doing good. Looks like you guys are not interested in this issue. Can you please provide me the source code for yhe urllib, I will fix it myself -- ___ Python tracker

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan
Muhammad Farhan added the comment: Maximum time in seconds that you allow the whole operation to take. This is useful for preventing your batch jobs from hanging for hours due to slow networks or links going down. Since 7.32.0, this option accepts decimal values, but the actual timeout will

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Christian Heimes
Christian Heimes added the comment: Please don't post screenshots. Screenshots are neither accessible nor searchable. It's better to link to documentation and copy the relevant sentences here. -- nosy: +christian.heimes ___ Python tracker

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan
Muhammad Farhan added the comment: So, the idea is to make timeout for the whole operation and it should not reset in any case. -- ___ Python tracker ___

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan
Muhammad Farhan added the comment: See the max_time.png and curl.png -- Added file: https://bugs.python.org/file50449/curl.png ___ Python tracker ___ _

[issue45795] urllib http client vulnerable to DOS attack

2021-11-18 Thread Muhammad Farhan
Muhammad Farhan added the comment: Yes, other clients like curl does not reset the timeout See the attached screenshots for references. -- Added file: https://bugs.python.org/file50448/max_time.png ___ Python tracker

[issue45795] urllib http client vulnerable to DOS attack

2021-11-17 Thread Senthil Kumaran
Senthil Kumaran added the comment: > Timeout value should not be reset after client receives a data(bytes), > because it can easily be abused to achieve DOS. Interesting. I looked the server example. Does clients like curl have something like this too? -- __

[issue45795] urllib http client vulnerable to DOS attack

2021-11-17 Thread Ned Deily
Change by Ned Deily : -- nosy: +orsenthil ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python

[issue45795] urllib http client vulnerable to DOS attack

2021-11-15 Thread Muhammad Farhan
Muhammad Farhan added the comment: Is any one going to respond? -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubsc

[issue45795] urllib http client vulnerable to DOS attack

2021-11-12 Thread Muhammad Farhan
New submission from Muhammad Farhan : Hi, During my recent tests I have discovered that the urllib http client (urllib.request.urlopen()) is vulnerable to DOS attack using a simple but effective trick. I am attaching a file named server.py download it and run it using latest version of pytho