[Python-Dev] Status of the fix for the hash collision vulnerability
Lennart Regebro
regebro at gmail.com
Fri Jan 13 12:20:28 CET 2012
On Fri, Jan 13, 2012 at 02:24, Victor Stinner
<victor.stinner at haypocalc.com> wrote:
> - Glenn Linderman proposes to fix the vulnerability by adding a new
> "safe" dict type (only accepting string keys). His proof-of-concept
> (SafeDict.py) uses a secret of 64 random bits and uses it to compute
> the hash of a key.
This is my preferred solution. The vulnerability is basically only in
the dictionary you keep the form data you get from a request. This
solves it easily and nicely. It can also be a separate module
installable for Python 2, which many web frameworks still use, so it
can be practical implementable now, and not in a couple of years.
Then again, nothing prevents us from having both this, *and* one of
the other solutions. :-)
//Lennart
More information about the Python-Dev
mailing list