[Python-Dev] Hash collision security issue (now public)

Antoine Pitrou solipsis at pitrou.net
Thu Jan 5 14:39:57 CET 2012

On Thu, 5 Jan 2012 15:26:27 +1100
Andrew Bennetts <andrew at bemusement.org> wrote:
> I don't think that's news either.
> http://mail.python.org/pipermail/python-dev/2003-May/035907.html and
> http://twistedmatrix.com/pipermail/twisted-python/2003-June/004339.html for
> instance show that in 2003 it was clearly known to at least be likely to be an
> exploitable DoS in common code (a dict of HTTP headers or HTTP form keys).
> There was debate about whether it's the language's responsibility to mitigate
> the problem or if apps should use safer designs for handling untrusted input
> (e.g. limit the number of keys input is allowed to create, or use something
> other than dicts), and debate about just how practical an effective exploit
> would be.  But I think it was understood to be a real concern 8 years ago, so
> not exactly sudden.

That's not news indeed, but that doesn't make it less of a problem,
especially now that the issue has been widely publicized through a
conference and announcements on several widely-read Web sites.

That said, only doing the security fix in 3.3 would have the nice side
effect of pushing people towards Python 3, so perhaps I'm for it after



More information about the Python-Dev mailing list