[Python-Dev] XML DoS vulnerabilities and exploits in Python

Antoine Pitrou solipsis at pitrou.net
Thu Feb 21 07:56:11 CET 2013


On Thu, 21 Feb 2013 10:38:07 +1000
Nick Coghlan <ncoghlan at gmail.com> wrote:
> On Thu, Feb 21, 2013 at 9:49 AM, Tres Seaver <tseaver at palladion.com> wrote:
> > Two words:  "hash randomization".  If it applies to one, it applies to
> > the other.
> 
> Agreed. Christian's suggested approach sounds sane to me:
> 
> - make it possible to enable safer behaviour globally in at least 2.7
> and 3.3 (and perhaps in 2.6 and 3.2 security releases as well)
> - make the safer behaviour the default in 3.4
> - make it possible to selectively disable the safeguards in all versions

+1 from me.

Regards

Antoine.




More information about the Python-Dev mailing list