http.client.HTTPResponse.read() (without argument) consumes the amount of memory specified by the value of the Content-Lenght header in the response before starting receiving the data from the socket. Normally, if the server does not send enough data, the client gets IncompleteRead error, but if Content-Lenght is too large, it can consume a large amount of memory and CPU time and cause swapping. Therefore, a maleficent server can cause a DOS attack on client by sending a small response.
Linked PRs
http.client.HTTPResponse.read()(without argument) consumes the amount of memory specified by the value of theContent-Lenghtheader in the response before starting receiving the data from the socket. Normally, if the server does not send enough data, the client getsIncompleteReaderror, but ifContent-Lenghtis too large, it can consume a large amount of memory and CPU time and cause swapping. Therefore, a maleficent server can cause a DOS attack on client by sending a small response.Linked PRs