[Python-Dev] Hash collision security issue (now public) (original) (raw)
Andrew Bennetts andrew at bemusement.org
Thu Jan 5 05:26:27 CET 2012
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, Jan 04, 2012 at 11:55:13AM +0100, Antoine Pitrou wrote:
On Wed, 4 Jan 2012 09:59:15 +0200 Maciej Fijalkowski <fijall at gmail.com> wrote: > > Is it really a security issue? We knew all along that dicts are > O(n^2) in worst case scenario, how is this suddenly a security > problem?
Because it has been shown to be exploitable for malicious purposes?
I don't think that's news either. http://mail.python.org/pipermail/python-dev/2003-May/035907.html and http://twistedmatrix.com/pipermail/twisted-python/2003-June/004339.html for instance show that in 2003 it was clearly known to at least be likely to be an exploitable DoS in common code (a dict of HTTP headers or HTTP form keys).
There was debate about whether it's the language's responsibility to mitigate the problem or if apps should use safer designs for handling untrusted input (e.g. limit the number of keys input is allowed to create, or use something other than dicts), and debate about just how practical an effective exploit would be. But I think it was understood to be a real concern 8 years ago, so not exactly sudden.
Just because it's old news doesn't make it not a security problem, of course.
-Andrew.
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]