mark florisson, 05.06.2012 22:33: > It doesn't even necessarily have to be about running user code, a user > could craft data input which causes such a situation. For instance, > let's say we have a just-in-time specializer which specializes a > function for the runtime input types, and the types depend on the user > input. For instance, if we write a web application we can post arrays > to described by a custom dtype, which draws pictures in some weird way > for us. We can get it to specialize pretty much any array type, so > that gives us a good opportunity to find collisions.
Yes, and the bad thing is that a very high probability of having no collisions even in combination with the need for a huge amount of brute force work to find one is not enough. An attacker (or otherwise interested user) may just be lucky, and given how low in the application stack this will be used, such a bit of luck may have massive consequences. Stefan _______________________________________________ cython-devel mailing list cython-devel@python.org http://mail.python.org/mailman/listinfo/cython-devel
