Marc-Andre Lemburg added the comment: On 21.10.2012 23:42, STINNER Victor wrote: > > STINNER Victor added the comment: > >> It's interesting to note how this whole -R discussion made very long > threads on python-dev, and python-dev has subsequently ignored (for the > past 6 months!) the fact that their "fix" can be worked around in a matter > of minutes. > > No, this issue has no been ignored. Nobody proposed anything to fix this > issue, but we are still working on it (sometimes in private). > > In my opinion, we cannot solve this issue without slowing down python. Or I > don't know yet.a.fast and secure hash algorithm. I don't really want to > slow down Python for one specific issue whereas there are so many other > ways to DoS a (web) server.
Well, I did propose a different approach to the whole problem to count collisions. That would have avoided the usability issues you have with the randomization approach, made it possible for the application to detect the attack and not have introduced any significant runtime overhead for applications not being attacked. The proposal was shot down with the argument that it wouldn't fix the problem. It should also be noted that the randomization only applies to strings/bytes, dictionaries with other colliding keys are not protected at all. Perhaps it's time to revisit the collision counting idea ? It would work in much the same way as the stack recursion limit we have in Python. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Oct 22 2012) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2012-09-27: Released eGenix PyRun 1.1.0 ... http://egenix.com/go35 2012-09-26: Released mxODBC.Connect 2.0.1 ... http://egenix.com/go34 2012-09-25: Released mxODBC 3.2.1 ... http://egenix.com/go33 2012-10-23: Python Meeting Duesseldorf ... tomorrow eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ ---------- nosy: +lemburg _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue14621> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
