[Python-Dev] Hash collision security issue (now public)

Glenn Linderman v+python at g.nevcal.com
Thu Jan 5 21:19:25 CET 2012

On 1/5/2012 11:49 AM, Tres Seaver wrote:
> Hash: SHA1
> On 01/05/2012 02:14 PM, Glenn Linderman wrote:
>> 1) the security problem is not in CPython, but rather in web servers
>> that use dict inappropriately.
> Most webapp vulnerabilities are due to their use of Python's cgi module,
> which it uses a dict to hold the form / query string data being supplied
> by untrusted external users.

Yes, I understand that (and have some such web apps in production).

In fact, I pointed out urllib.parse and cgi as specific modules for 
which a proposed fix could be made without impacting the Python hash 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120105/ca008235/attachment.html>

More information about the Python-Dev mailing list