[Zope-Checkins] CVS: Zope/ZServer - HTTPServer.py:1.37.16.1

Brian Lloyd brian@zope.com
Thu, 3 Oct 2002 22:28:07 -0400


Update of /cvs-repository/Zope/ZServer
In directory cvs.zope.org:/tmp/cvs-serv11611

Modified Files:
      Tag: Zope-2_5-branch
	HTTPServer.py 
Log Message:
Fixed bug 606 (medusa / ZServer http server did not limit header length).


=== Zope/ZServer/HTTPServer.py 1.37 => 1.37.16.1 ===
--- Zope/ZServer/HTTPServer.py:1.37	Wed Nov 28 10:50:50 2001
+++ Zope/ZServer/HTTPServer.py	Thu Oct  3 22:28:06 2002
@@ -253,7 +253,8 @@
 
     closed=0
     zombie_timeout=100*60 # 100 minutes
-    
+    max_header_len = 8196
+
     def __init__(self, server, conn, addr):
         http_channel.__init__(self, server, conn, addr)
         requestCloseOnExec(conn)
@@ -306,6 +307,17 @@
                 if (now - channel.creation_time) > channel.zombie_timeout:
                     channel.close()
 
+    def collect_incoming_data (self, data):
+        # Override medusa http_channel implementation to prevent DOS attacks
+        # that send never-ending HTTP headers.
+        if self.current_request:
+                # we are receiving data (probably POST data) for a request
+            self.current_request.collect_incoming_data (data)
+        else:
+                # we are receiving header (request) data
+            self.in_buffer = self.in_buffer + data
+            if len(self.in_buffer) > self.max_header_len:
+                raise ValueError('HTTP headers invalid (too long)')
 
 class zhttp_server(http_server):    
     "http server"