[Python-Dev] Hash collision security issue (now public)
Terry Reedy
tjreedy at udel.edu
Fri Jan 6 01:11:22 CET 2012
On 1/5/2012 3:10 PM, Ethan Furman wrote:
> Tres Seaver wrote:
>>> 1) the security problem is not in CPython, but rather in web servers
>>> that use dict inappropriately.
>>
>> Most webapp vulnerabilities are due to their use of Python's cgi module,
>> which it uses a dict to hold the form / query string data being supplied
>> by untrusted external users.
>
> And Glenn suggested further down that an appropriate course of action
> would be to fix the cgi module (and others) instead of messing with dict.
I think both should be done. For web applications, it would be best to
reject DOS attempts with 'random' keys in O(1) time rather than in O(n)
time even with improved hash. But some other apps, like the Python
interpreter itself, 'random' names may be quite normal.
--
Terry Jan Reedy
More information about the Python-Dev
mailing list