Facing the world with SimpleHTTPServer

[Jed Parsons]

Hola -

I'm curious about using SimpleHTTPServer as the web server on my home
machine. It would pretty much just be hit by me, search robots, and
automated attacks

So, before I ditch apache for the fun, all-python setup, are there any
security concerns about using SimpleHTTPServer?
Thanks for any advice/info,

Jed

 

[Irmen de Jong]

Hola -

I'm curious about using SimpleHTTPServer as the web server on my home
machine. It would pretty much just be hit by me, search robots, and
automated attacks

So, before I ditch apache for the fun, all-python setup, are there any
security concerns about using SimpleHTTPServer?
Thanks for any advice/info,

Jed

Security concerns: I don't really know, but there is one nasty
problem with it: it reports an invalid content-length for text files.
(sourceforce patch 839496).

--Irmen

 

[Andrew Dalke]

So, before I ditch apache for the fun, all-python setup, are there any
security concerns about using SimpleHTTPServer?
Thanks for any advice/info,

I know it's open to denial of service attacks.

For example, if you give it a lot of headers, esp.
with long lines, then you can cause the server to
exhaust all memory. Eventually. Apache and the HTTP
protocol both have ways to limit the max header line
and the max number of headers received before giving
an error message.

If you're single threaded there's no timeout so
you can effectively make the machine freeze. If
you're multi-threaded you can instead make the process
run out of available descriptors.

Of course Apache has the last problem too, but it
does allow timeouts on the total request time so
feeding it a character a second and it will eventually
drop the request. I think.

Andrew
(e-mail address removed)