Message 151062 - Python tracker (original) (raw)

OTOH, the collision counting patch is very simple, doesn't have the performance issues and provides real protection against the attack.

I don't know about real protection: you can still slow down dict construction by 1000x (the number of allowed collisions per lookup), which can be enough combined with a brute-force DOS.

Also, how about false positives? Having legitimate programs break because of legitimate data would be a disaster.