[Python-Dev] Algoritmic Complexity Attack on Python

Phillip J. Eby pje@telecommunity.com
Sat, 31 May 2003 09:17:16 -0400

At 05:02 PM 5/30/03 -0500, Scott A Crosby wrote:

>The python community will have to judge whether the performance
>difference of the current hash is worth the risk of the attack.

Note that the "community" doesn't really have to judge.  An individual 
developer can, if they have an application they deem vulnerable, do 
something like this:

class SafeString(str):
     def __hash__(self):
         # code to return a hash code

safe = SafeString(string_from_untrusted_source)

and then use only these "safe" strings as keys for a given dictionary.  Or, 
with a little more work, they can subclass 'dict' and make a dictionary 
that converts its keys to "safe" strings.

As far as current vulnerability goes, I'd say that the most commonly 
available attack point for this would be CGI programs that accept POST 
operations.  A POST can supply an arbitrarily large number of form field keys.

If you can show that the Python 'cgi' module is vulnerable to such an 
attack, in a dramatic disproportion to the size of the data transmitted 
(since obviously it's as much of a DoS to flood a script with a large 
quantity of data), then it might be worth making changes to the 'cgi' 
module, or at least warning the developers of alternatives to CGI (e.g. 
Zope, Quixote, SkunkWeb, CherryPy, etc.) that alternate hashes might be a 
good idea.

But based on the discussion so far, I'm not sure I see how this attack 
would produce an effect that was dramatically disproportionate to the 
amount of data transmitted.