[Zope] Easy Zope DoS ?

Charlie Reiman creiman@kefta.com
Tue, 21 May 2002 14:59:41 -0700


Using Zope 2.5.1 and Python 2.1.1, I do not see a server lockup but I do see
an exception printed to the console.

2002-05-21T21:43:16 ERROR(200) ZServer Server Error: exceptions.TypeError,
cannot add type "None" to string: file:
/home/creiman/zope/ZopeCVS/Zope/ZServer/HTTPServer.py line: 181

The response is an HTTP 500 internal server error.

I find this worrisome but the server does not crash. I'm only mentioning
this because no one else reported such an exception. FWIW, HTTPServer.py:
line 181 is accessing request.version (and there is no check to see if the
attribute is None).

Just for grins, I then repeated the request about 20 times to see if it
might be killing threads. The server repeats the above behavior but is still
running fine.

The server should handle this more gracefully. Most likely by trapping the
missing version earlier and responding with a malformed request error.

> -----Original Message-----
> From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of John
> Adams
> Sent: Tuesday, May 21, 2002 2:30 PM
> To: zope@zope.org
> Subject: Re: [Zope] Easy Zope DoS ?
>
>
> On Tue, 21 May 2002, Thomas B. Passin wrote:
>
> > [John Adams]
> > > It seems that if I've started the zope server from the
> command line, and
> > > then telnet to the port it's running on (8080) and issue a
> malformed HTTP
> > > request, I can kill the server. Does anyone else experience this?
> [...]
> > > The server goes down for the count after this.
>
> Let me add a few notes here so I don't cause a panic. I'm on Zope 2.5.0
> with python 2.1.1 (SunOS 5.8 Generic_108528-01 sun4u sparc
> SUNW,Ultra-250.) Non-CVS checkout -- this is a release I downloaded from
> zope.com.
>
> This problem doesn't happen on an immediate restart of zope, so it's
> certainly not an Easy DoS as I may have indicated. It happens once the
> server's been up for awhile (but time to failure is unknown.) I just
> restarted my server and now I can't reproduce the issue.
>
> I see quite a few people on higher versions of Zope, and I should probably
> upgrade, but I'd like to know if anyone sees random Zope daemon failure
> that is similar to what I'm experiencing.
>
> -john
>
>
>
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>