[Python-Dev] Make str/bytes hash algorithm pluggable?
Christian Heimes
christian at python.org
Fri Oct 4 11:54:55 CEST 2013
Am 04.10.2013 11:15, schrieb Victor Stinner:
> 2013/10/4 Armin Rigo <arigo at tunes.org>:
>> The current hash randomization is simply not preventing anything;
>> someone posted long ago a way to recover bit-by-bit the hash
>> randomized used by a remote web program in Python running on a
>> server.
>
> Oh interesting, is it public? If yes, could we please search the
> URL of the exploit? I'm more motivated to fix an issue if it is
> proved to be exploitable.
I'm intrigued, too!
> I still fail to understand the real impact of a hash DoS compared
> to other kinds of DoS. It's like the XML bomb: the vulnerability
> was also known since many years, but Christian only fixed the issue
> recently (and the fix was implemented in a package on the
> Cheeseshop, not in the stblib! Is that correct?).
About the XML bomb and other issues ... I kinda lost my motivation to
push the fixes into the stdlib. :( The code is ready. It just needs a
proper configuration interface / API.
The hash DoS and XML DoS vulnerabilities have one thing in common.
Both multiply the effectiveness of an attack by several orders of
magnitude. You don't need 100 GBit/sec to kick a service out of
existence. A simple DSL line or mobile phone with 3G/HSDPA does the
same job (if done right). Nowaday Python is important, for example
major parts of the Brazilian Government run on Python, Zope and Plone.
There are Dropbox, Google App Engine ...
> The real benefit is to warn users that they should not rely on the
> dictionary or set order/representation (in their unit tests), and
> that the hash function is not deterministic :-)
>
> (So now it is much easier to replace the hash function with SipHash
> or anything else, without breaking new applications.)
Thanks for your groundwork and groudbreaking work, Victor! :)
Christian
More information about the Python-Dev
mailing list