The CookieStorage tries to generate as big cookie as possible to fit all messages. However doing this on lot of small messages is very expensive and can take several seconds on the server, potentially leading to denial of service.
Here is simple code to reproduce the slowness:
#!/usr/bin/env python
# Configure needed settings
from django.conf import settings
settings.configure(MESSAGE_TAGS={})
from django.contrib.sessions.middleware import SessionMiddleware
from django.contrib.messages.middleware import MessageMiddleware
from django.contrib.messages.storage.cookie import CookieStorage
from django.contrib.messages.api import info
from django.http.request import HttpRequest
from django.http.response import HttpResponse
from django.contrib.messages.storage import default_storage
# Request and response objects
response = HttpResponse()
request = HttpRequest()
# Process request by middleware
SessionMiddleware().process_request(request)
mm = MessageMiddleware()
mm.process_request(request)
# Insert messages
for x in range(500):
info(request, 'm:{0}'.format(x))
# Measure response processing time
import timeit
print(timeit.timeit(
'mm.process_response(request, response)',
globals=globals(), number=10
))
In my case the DOS was triggered by broken client who repeatedly posted form generating message, but never did follow redirect to display the messages, so nothing really sophisticated.
Quickly looking at the code following performance improvements come to my mind:
- Avoid repeated encoding of the messages, encode them all at once and then operate on encoded strings
- Avoid calculating HMAC while calculating length as length of it is fixed
- Do bisect instead of removing messages one by one
PR