[Python-Dev] Counting collisions for the win

Guido van Rossum guido at python.org
Fri Jan 20 23:55:03 CET 2012


On Fri, Jan 20, 2012 at 2:35 PM, Frank Sievertsen <pydev at sievertsen.de> wrote:
> Am 20.01.2012 16:33, schrieb Guido van Rossum:
>
>> (I'm thinking that the original attack is trivial once the set of 65000
>> colliding keys is public knowledge, which must be only a matter of time.
>
>
>
> I think it's very likely that this will happen soon.
>
> For ASP and PHP there is attack-payload publicly available.
> PHP and ASP have patches to limit the number of query-variables.
>
> We're very lucky that there's no public payload for python yet,
> and all non-public software and payload I'm aware of is based
> upon my software.
>
> But this can change any moment. It's not really difficult to
> write software to create 32bit-collisions.

While we're debating the best fix, could we allow people to at least
protect themselves against script-kiddies by offering fixes to cgi.py,
django, webob and a few other popular frameworks that limits forms to
1000 keys? (I suppose it's really only POST requests that are
vulnerable to script kiddies, because of the length restriction on
URLs.)

-- 
--Guido van Rossum (python.org/~guido)


More information about the Python-Dev mailing list