OOM a potential denial of service in the CGI server on Windows #119452
Description
When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying SocketIO allocates the amount of memory specified in the Content-Length header before actual reading the data, so a small request with incorrect Content-Length can cause consumption of the large amount of memory and CPU time and can be used in the DOS attack on the server.
Linked PRs
- [3.14] gh-119452: Fix a potential virtual memory allocation denial of service in http.server #119455
- [3.13] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142130
- [3.12] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142131
- [3.11] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142132
- [3.10] gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) #142133
- [3.14] gh-119452: Block until data is read #142176
- [3.14] gh-119452: Remove select, skip 'truncated' test #142178
- [3.14] Try to fix the fix for gh-119452 #142180
- [3.14] gh-119452: Read/write CGI data using worker threads #142181
- [3.14] Revert "gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455)" #142184
- [3.13] Revert "gh-119452: Fix a potential virtual memory allocation denial of service in http.server (GH-119455) (GH-142130)" #142185