Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL: stream addresses eats up memory #305

Closed
rorist opened this issue Jul 22, 2013 · 2 comments
Closed

URL: stream addresses eats up memory #305

rorist opened this issue Jul 22, 2013 · 2 comments
Labels
Bug Things to squish; generally used for issues

Comments

@rorist
Copy link

rorist commented Jul 22, 2013

Hello,

Pasting a link to a stream or to abig file eats up the server memory, eventually leading to an OOM situation.

Looking at the web.py and url.py modules, i currently don't know about a fix, but will look a little bit into it. Do you have an idea ?

Maybe we can do an HEAD request looking for content-length/content-type fields..

Cheers

@elad661
Copy link
Contributor

elad661 commented Jul 23, 2013

This is actually a critical vulnerability, good catch! in addition to content length and type checking we should probably set a timeout and close the connection if its still downloading after it, to prevent malicious attempts to overload the bot by creating a server that falsely reports content length and type

@rorist
Copy link
Author

rorist commented Jul 23, 2013

This bot[1] is using python requests and the stream parameter[2].

[1] https://github.com/lepinkainen/pyfibot/blob/master/pyfibot/pyfibot.py#L244
[2] http://docs.python-requests.org/en/latest/user/advanced.html#body-content-workflow

Something like this plus a (short) timeout on getting the headers should be ok.

maxpowa pushed a commit to maxpowa/Inumuta that referenced this issue Feb 20, 2015
This will prevent accidental or malicious memory hogging by the module
Close sopel-irc#305
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Things to squish; generally used for issues
Projects
None yet
Development

No branches or pull requests

2 participants