Hello all,
A paper (well, presentation) has been published highlighting security problems
with the hashing algorithm (exploiting collisions) in many programming
languages Python included:
http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf
Although it's a security issue I'm posting it here because it is now public and
seems important.
The issue they report can cause (for example) handling an http post to consume
horrible amounts of cpu. For Python the figures they quoted:
reasonable-sized attack strings only for 32 bits Plone has max. POST
size of 1 MB
7 minutes of CPU usage for a 1 MB request
~20 kbits/s → keep one Core Duo core busy
This was apparently reported to the security list, but hasn't been responded to
beyond an acknowledgement on November 24th (the original report didn't make it
onto the security list because it was held in a moderation queue).
The same vulnerability was reported against various languages and web
frameworks, and is already fixed in some of them.
Their recommended fix is to randomize the hash function.
All the best,
Michael
--
http://www.voidspace.org.uk/
May you do good and not evil
May you find forgiveness for yourself and forgive others
May you share freely, never taking more than you give.
-- the sqlite blessing
http://www.sqlite.org/different.html
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe:
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
