On Fri, Jan 20, 2012 at 2:35 PM, Frank Sievertsen <pydev@sievertsen.de> wrote:
Am 20.01.2012 16:33, schrieb Guido van Rossum:
(I'm thinking that the original attack is trivial once the set of 65000 colliding keys is public knowledge, which must be only a matter of time.
I think it's very likely that this will happen soon.
For ASP and PHP there is attack-payload publicly available. PHP and ASP have patches to limit the number of query-variables.
We're very lucky that there's no public payload for python yet, and all non-public software and payload I'm aware of is based upon my software.
But this can change any moment. It's not really difficult to write software to create 32bit-collisions.
While we're debating the best fix, could we allow people to at least protect themselves against script-kiddies by offering fixes to cgi.py, django, webob and a few other popular frameworks that limits forms to 1000 keys? (I suppose it's really only POST requests that are vulnerable to script kiddies, because of the length restriction on URLs.) -- --Guido van Rossum (python.org/~guido)