[Python-Dev] Status of the fix for the hash collision vulnerability
and-dev at doxdesk.com
Fri Jan 13 13:45:50 CET 2012
On 2012-01-13 11:20, Lennart Regebro wrote:
> The vulnerability is basically only in the dictionary you keep the
> form data you get from a request.
I'd have to disagree with this statement. The vulnerability is anywhere
that creates a dictionary (or set) from attacker-provided keys. That
would include HTTP headers, RFC822-family subheaders and parameters, the
environ, input taken from JSON or XML, and so on - and indeed hash
collision attacks are not at all web-specific.
The problem with having two dict implementations is that a caller would
have to tell libraries that use dictionaries which implementation to
use. So for example an argument would have to be passed to json.load[s]
to specify whether the input was known-sane or potentially hostile.
Any library could ever use dictionaries to process untrusted input *or
any library that used another library that did* would have to pass such
a flag through, which would quickly get very unwieldy indeed... or else
they'd have to just always use safedict, in which case we're in pretty
much the same position as we are with changing dict anyway.
mailto:and at doxdesk.com
gtalk:chat?jid=bobince at gmail.com
More information about the Python-Dev