OOM vulnerability in the CGI server on Windows

[serhiy-storchaka]

When http.server.CGIHTTPRequestHandler on Windows (and other platforms without fork()) handles the POST request, it reads the whole body of the POST request in memory before sending it to the subprocess running the script. The underlying SocketIO allocates the amount of memory specified in the Content-Length header before actual reading the data, so a small request with incorrect Content-Length can cause consumption of the large amount of memory and CPU time and can be used in the DOS attack on the server.

Linked PRs

• gh-119452: Fix OOM vulnerability in http.server #119455

[picnixz]

Correct me if I'm wrong, but the incriminated lines are the following right:

cpython/Lib/http/server.py

Lines 1226 to 1227 in c85e352

	if self.command.lower() == "post" and nbytes > 0:
	data = self.rfile.read(nbytes)

If so, could I perhaps take on this one? (I never directly contributed to CPython so I think I can take this one to setup everything that's needed, unless you are already working on it).

[serhiy-storchaka]

Thank you for volunteering @picnixz, but I already have a solution. I have been somewhat delayed in publishing it because I discovered other problem: the large body was truncated on Windows, because SocketIO.read() is unbuffered and can return a partial data.

[picnixz]

No worries! I think you are much faster than me on that since I'm not really familiar with the http and IO-related codebase.