[Python-Dev] [issue13703] Hash collision security issue
Glenn Linderman
v+python at g.nevcal.com
Fri Jan 27 19:18:35 CET 2012
On 1/26/2012 10:47 PM, Glenn Linderman wrote:
> On 1/26/2012 10:25 PM, Gregory P. Smith wrote:
>> (and on top of all of this I believe we're all settled on having per
>> interpreter hash randomization_as well_ in 3.3; but this AVL tree
>> approach is one nice option for a backport to fix the major
>> vulnerability)
>
> If the tree code cures the problem, then randomization just makes
> debugging harder. I think if it is included in 3.3, it needs to have
> a switch to turn it on/off (whichever is not default).
In case it is not clear, I meant randomization should always be able to
be switched off.
Another issue occurs to me: when a hash with colliding keys (one that
has been attacked, and has trees) has a non-string key added, isn't the
flattening process likely to have extremely poor performance?
Agreed that the common HTML FORM or JSON attack vectors are unlikely to
produce anything except string keys, but if an application grabs those,
knows that the user keys are all strings, and adds a few more bits of
info to the dict for convenience, using other key types, then ... WHAM?
Seems a bit unlikely, but I know I've coded things along that line from
time to time... I don't recall doing it in Python Web applications...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120127/4d1b01df/attachment-0001.html>
More information about the Python-Dev
mailing list