[Zope-Checkins] CVS: Zope/lib/python/ZServer - HTTPServer.py:1.46.2.3

Andreas Jung andreas at andreas-jung.com
Sat Nov 27 03:24:59 EST 2004 

Update of /cvs-repository/Zope/lib/python/ZServer
In directory cvs.zope.org:/tmp/cvs-serv21239/lib/python/ZServer

Modified Files:
      Tag: Zope-2_7-branch
	HTTPServer.py 
Log Message:

      - Collector #1003: added new 'http-header-max-length' directive
        to zope.conf to specific the maximum length of a HTTP request
        header before it is considered as a possible DoS attack and
        discarded.


=== Zope/lib/python/ZServer/HTTPServer.py 1.46.2.2 => 1.46.2.3 ===
--- Zope/lib/python/ZServer/HTTPServer.py:1.46.2.2	Sun Dec 14 22:11:43 2003
+++ Zope/lib/python/ZServer/HTTPServer.py	Sat Nov 27 03:24:29 2004
@@ -44,6 +44,7 @@
 from PubCore import handle
 from HTTPResponse import make_response
 from ZPublisher.HTTPRequest import HTTPRequest
+from App.config import getConfiguration
 
 from medusa.http_server import http_server,get_header, http_channel, VERSION_STRING
 import asyncore
@@ -287,13 +288,13 @@
     closed = 0
     no_more_requests = 0
     zombie_timeout=100*60 # 100 minutes
-    max_header_len = 8196
 
     def __init__(self, server, conn, addr):
         http_channel.__init__(self, server, conn, addr)
         requestCloseOnExec(conn)
         self.queue=[]
         self.working=0
+        self.max_header_len = getConfiguration().http_header_max_length
 
     def push(self, producer, send=1):
         # this is thread-safe when send is false
@@ -364,8 +365,16 @@
         else:
                 # we are receiving header (request) data
             self.in_buffer = self.in_buffer + data
-            if len(self.in_buffer) > self.max_header_len:
-                raise ValueError('HTTP headers invalid (too long)')
+            inbuf_len = len(self.in_buffer) 
+            if inbuf_len > self.max_header_len:
+                # Don't bother with a proper response header,
+                # we are probably under attack and that would just consume 
+                # precious resources.
+                # Instead, just bail out and leave the nasty client hanging.
+                # Hanging's too good for them!
+                # Unfortunate side effect: the attack gets logged to the
+                # event log, but not the access log.
+                raise ValueError('HTTP headers invalid (too long) (got: %d bytes, allowed %d bytes' % (inbuf_len, self.max_header_len))
 
 class zhttp_server(http_server):
     "http server"

More information about the Zope-Checkins mailing list