Am 29.12.2011 12:10, schrieb Antoine Pitrou:
>> I've been dealing with web stuff and security for almost a decade. I've
>> seen far worse attack vectors. This one can easily be solved with a
>> couple of lines of Python code. For example Application developers can
>> limit the maximum amount of POST parameters to a sensible amount and
>> limit the length of each key, too.
> 
> Shouldn't the setting be implemented by frameworks?

Web framework like Django or CherryPy can be considered an application
from the CPython core's point of view. ;)
You are right. The term "framework" is a better word.

>> CPython could aid developers with a special subclass of dict. The
>> crucial lookup function is already overwrite-able per dict instance and
>> on subclasses of dict through PyDictObj's struct member PyDictEntry
>> *(*ma_lookup)(PyDictObject *mp, PyObject *key, long hash). For example
>> specialized subclass could limit the seach for a free slot to n
>> recursions or choose to ignore the hash argument and calculate its own
>> hash of the key.
> 
> Or, rather, the specialized subclass could implement hash randomization.

Yeah! I was thinking about the same when I wrote "calculate its own
hash" but I was too sloppy to carry on my argument. Please take 3am as
my excuse.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to