[Python-Dev] Counting collisions for the win (original) (raw)
Guido van Rossum guido at python.org
Fri Jan 20 23:55:03 CET 2012
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jan 20, 2012 at 2:35 PM, Frank Sievertsen <pydev at sievertsen.de> wrote:
Am 20.01.2012 16:33, schrieb Guido van Rossum:
(I'm thinking that the original attack is trivial once the set of 65000 colliding keys is public knowledge, which must be only a matter of time.
I think it's very likely that this will happen soon. For ASP and PHP there is attack-payload publicly available. PHP and ASP have patches to limit the number of query-variables. We're very lucky that there's no public payload for python yet, and all non-public software and payload I'm aware of is based upon my software. But this can change any moment. It's not really difficult to write software to create 32bit-collisions.
While we're debating the best fix, could we allow people to at least protect themselves against script-kiddies by offering fixes to cgi.py, django, webob and a few other popular frameworks that limits forms to 1000 keys? (I suppose it's really only POST requests that are vulnerable to script kiddies, because of the length restriction on URLs.)
-- --Guido van Rossum (python.org/~guido)
- Previous message: [Python-Dev] Counting collisions for the win
- Next message: [Python-Dev] Counting collisions for the win
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]