[Python-Dev] Hash collision security issue (now public) (original) (raw)
Terry Reedy tjreedy at udel.edu
Fri Jan 6 01:11:22 CET 2012
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 1/5/2012 3:10 PM, Ethan Furman wrote:
Tres Seaver wrote:
1) the security problem is not in CPython, but rather in web servers that use dict inappropriately.
Most webapp vulnerabilities are due to their use of Python's cgi module, which it uses a dict to hold the form / query string data being supplied by untrusted external users. And Glenn suggested further down that an appropriate course of action would be to fix the cgi module (and others) instead of messing with dict.
I think both should be done. For web applications, it would be best to reject DOS attempts with 'random' keys in O(1) time rather than in O(n) time even with improved hash. But some other apps, like the Python interpreter itself, 'random' names may be quite normal.
-- Terry Jan Reedy
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]