[Zope-Checkins] SVN: Zope/trunk/ - Collector #1003: added new 'http-header-max-length' directive

Andreas Jung andreas at andreas-jung.com
Fri Nov 26 08:20:29 EST 2004 

Log message for revision 28511:
        - Collector #1003: added new 'http-header-max-length' directive
          to zope.conf to specific the maximum length of a HTTP request
          header before it is considered as a possible DoS attack and
          discarded.
  

Changed:
  U   Zope/trunk/doc/CHANGES.txt
  U   Zope/trunk/lib/python/ZServer/HTTPServer.py
  U   Zope/trunk/lib/python/Zope/Startup/handlers.py
  U   Zope/trunk/lib/python/Zope/Startup/zopeschema.xml
  U   Zope/trunk/skel/etc/zope.conf.in

-=-
Modified: Zope/trunk/doc/CHANGES.txt
===================================================================
--- Zope/trunk/doc/CHANGES.txt	2004-11-26 12:12:04 UTC (rev 28510)
+++ Zope/trunk/doc/CHANGES.txt	2004-11-26 13:20:29 UTC (rev 28511)
@@ -46,6 +46,11 @@
 
     Bugs fixed
 
+      - Collector #1003: added new 'http-header-max-length' directive
+        to zope.conf to specific the maximum length of a HTTP request
+        header before it is considered as a possible DoS attack and
+        discarded.
+
       - Collector #1371: added new 'cgi-maxlen' directive to zope.conf 
         to limit the amount of form data being processed by Zope 
         to prevent DoS attacks

Modified: Zope/trunk/lib/python/ZServer/HTTPServer.py
===================================================================
--- Zope/trunk/lib/python/ZServer/HTTPServer.py	2004-11-26 12:12:04 UTC (rev 28510)
+++ Zope/trunk/lib/python/ZServer/HTTPServer.py	2004-11-26 13:20:29 UTC (rev 28511)
@@ -44,6 +44,7 @@
 from PubCore import handle
 from HTTPResponse import make_response
 from ZPublisher.HTTPRequest import HTTPRequest
+from App.config import getConfiguration
 
 from medusa.http_server import http_server,get_header, http_channel, VERSION_STRING
 import asyncore
@@ -288,13 +289,13 @@
     closed = 0
     no_more_requests = 0
     zombie_timeout=100*60 # 100 minutes
-    max_header_len = 8196
 
     def __init__(self, server, conn, addr):
         http_channel.__init__(self, server, conn, addr)
         requestCloseOnExec(conn)
         self.queue=[]
         self.working=0
+        self.max_header_len = getConfiguration().http_header_max_length
 
     def push(self, producer, send=1):
         # this is thread-safe when send is false
@@ -365,7 +366,8 @@
         else:
                 # we are receiving header (request) data
             self.in_buffer = self.in_buffer + data
-            if len(self.in_buffer) > self.max_header_len:
+            inbuf_len = len(self.in_buffer) 
+            if inbuf_len > self.max_header_len:
                 # Don't bother with a proper response header,
                 # we are probably under attack and that would just consume 
                 # precious resources.
@@ -373,7 +375,7 @@
                 # Hanging's too good for them!
                 # Unfortunate side effect: the attack gets logged to the
                 # event log, but not the access log.
-                raise ValueError('HTTP headers invalid (too long)')
+                raise ValueError('HTTP headers invalid (too long) (got: %d bytes, allowed %d bytes' % (inbuf_len, self.max_header_len))
 
 class zhttp_server(http_server):
     "http server"

Modified: Zope/trunk/lib/python/Zope/Startup/handlers.py
===================================================================
--- Zope/trunk/lib/python/Zope/Startup/handlers.py	2004-11-26 12:12:04 UTC (rev 28510)
+++ Zope/trunk/lib/python/Zope/Startup/handlers.py	2004-11-26 13:20:29 UTC (rev 28511)
@@ -99,6 +99,9 @@
     import cgi
     cgi.maxlen = value
 
+def http_header_max_length(value):
+    return value
+
 # server handlers
 
 def root_handler(config):

Modified: Zope/trunk/lib/python/Zope/Startup/zopeschema.xml
===================================================================
--- Zope/trunk/lib/python/Zope/Startup/zopeschema.xml	2004-11-26 12:12:04 UTC (rev 28510)
+++ Zope/trunk/lib/python/Zope/Startup/zopeschema.xml	2004-11-26 13:20:29 UTC (rev 28511)
@@ -530,6 +530,12 @@
     </description>
   </key>
 
+  <key name="http-header-max-length" default="8192" handler="http_header_max_length" datatype="integer">
+    <description>
+     Maximum size of received HTTP header being processed by Zope
+    </description>
+  </key>
+
   <key name="dns-server" datatype=".dns_resolver" attribute="dns_resolver">
     <description>
      Specify the ip address of your DNS server in order to cause resolved

Modified: Zope/trunk/skel/etc/zope.conf.in
===================================================================
--- Zope/trunk/skel/etc/zope.conf.in	2004-11-26 12:12:04 UTC (rev 28510)
+++ Zope/trunk/skel/etc/zope.conf.in	2004-11-26 13:20:29 UTC (rev 28511)
@@ -431,6 +431,20 @@
 #    cgi-maxlen 10000
 
 
+# Directive: http-header-max-length
+#
+# Description:
+#     Maximum number of bytes allowed within a HTTP request header. The request
+#     is discarded and considered as a DoS attack if the header size exceeds
+#     this limit.
+#
+# Default: 8192
+#
+# Example:
+#
+#     http-header-max-length 16384
+
+
 # Directive: automatically-quote-dtml-request-data
 #
 # Description:

More information about the Zope-Checkins mailing list