[Zope-Checkins] CVS: Zope/ZServer - HTTPServer.py:1.37.16.1
Brian Lloyd
brian@zope.com
Thu, 3 Oct 2002 22:28:07 -0400
Update of /cvs-repository/Zope/ZServer
In directory cvs.zope.org:/tmp/cvs-serv11611
Modified Files:
Tag: Zope-2_5-branch
HTTPServer.py
Log Message:
Fixed bug 606 (medusa / ZServer http server did not limit header length).
=== Zope/ZServer/HTTPServer.py 1.37 => 1.37.16.1 ===
--- Zope/ZServer/HTTPServer.py:1.37 Wed Nov 28 10:50:50 2001
+++ Zope/ZServer/HTTPServer.py Thu Oct 3 22:28:06 2002
@@ -253,7 +253,8 @@
closed=0
zombie_timeout=100*60 # 100 minutes
-
+ max_header_len = 8196
+
def __init__(self, server, conn, addr):
http_channel.__init__(self, server, conn, addr)
requestCloseOnExec(conn)
@@ -306,6 +307,17 @@
if (now - channel.creation_time) > channel.zombie_timeout:
channel.close()
+ def collect_incoming_data (self, data):
+ # Override medusa http_channel implementation to prevent DOS attacks
+ # that send never-ending HTTP headers.
+ if self.current_request:
+ # we are receiving data (probably POST data) for a request
+ self.current_request.collect_incoming_data (data)
+ else:
+ # we are receiving header (request) data
+ self.in_buffer = self.in_buffer + data
+ if len(self.in_buffer) > self.max_header_len:
+ raise ValueError('HTTP headers invalid (too long)')
class zhttp_server(http_server):
"http server"