[Python-Dev] Hash collision security issue (now public)

Terry Reedy tjreedy at udel.edu
Fri Jan 6 01:11:22 CET 2012

On 1/5/2012 3:10 PM, Ethan Furman wrote:
> Tres Seaver wrote:

>>> 1) the security problem is not in CPython, but rather in web servers
>>> that use dict inappropriately.
>> Most webapp vulnerabilities are due to their use of Python's cgi module,
>> which it uses a dict to hold the form / query string data being supplied
>> by untrusted external users.
> And Glenn suggested further down that an appropriate course of action
> would be to fix the cgi module (and others) instead of messing with dict.

I think both should be done. For web applications, it would be best to 
reject DOS attempts with 'random' keys in O(1) time rather than in O(n) 
time even with improved hash. But some other apps, like the Python 
interpreter itself, 'random' names may be quite normal.

Terry Jan Reedy

More information about the Python-Dev mailing list