[Python-Dev] Hash collision security issue (now public)

Christian Heimes lists at cheimes.de
Thu Dec 29 14:04:05 CET 2011

Am 29.12.2011 12:10, schrieb Antoine Pitrou:
>> I've been dealing with web stuff and security for almost a decade. I've
>> seen far worse attack vectors. This one can easily be solved with a
>> couple of lines of Python code. For example Application developers can
>> limit the maximum amount of POST parameters to a sensible amount and
>> limit the length of each key, too.
> Shouldn't the setting be implemented by frameworks?

Web framework like Django or CherryPy can be considered an application
from the CPython core's point of view. ;)
You are right. The term "framework" is a better word.

>> CPython could aid developers with a special subclass of dict. The
>> crucial lookup function is already overwrite-able per dict instance and
>> on subclasses of dict through PyDictObj's struct member PyDictEntry
>> *(*ma_lookup)(PyDictObject *mp, PyObject *key, long hash). For example
>> specialized subclass could limit the seach for a free slot to n
>> recursions or choose to ignore the hash argument and calculate its own
>> hash of the key.
> Or, rather, the specialized subclass could implement hash randomization.

Yeah! I was thinking about the same when I wrote "calculate its own
hash" but I was too sloppy to carry on my argument. Please take 3am as
my excuse.

More information about the Python-Dev mailing list