On 1/5/2012 3:10 PM, Ethan Furman wrote:
Tres Seaver wrote:
- the security problem is not in CPython, but rather in web servers
that use dict inappropriately.
Most webapp vulnerabilities are due to their use of Python's cgi module, which it uses a dict to hold the form / query string data being supplied by untrusted external users.
And Glenn suggested further down that an appropriate course of action would be to fix the cgi module (and others) instead of messing with dict.
I think both should be done. For web applications, it would be best to reject DOS attempts with 'random' keys in O(1) time rather than in O(n) time even with improved hash. But some other apps, like the Python interpreter itself, 'random' names may be quite normal.