Am 29.12.2011 12:10, schrieb Antoine Pitrou: >> I've been dealing with web stuff and security for almost a decade. I've >> seen far worse attack vectors. This one can easily be solved with a >> couple of lines of Python code. For example Application developers can >> limit the maximum amount of POST parameters to a sensible amount and >> limit the length of each key, too. > > Shouldn't the setting be implemented by frameworks?
Web framework like Django or CherryPy can be considered an application from the CPython core's point of view. ;) You are right. The term "framework" is a better word. >> CPython could aid developers with a special subclass of dict. The >> crucial lookup function is already overwrite-able per dict instance and >> on subclasses of dict through PyDictObj's struct member PyDictEntry >> *(*ma_lookup)(PyDictObject *mp, PyObject *key, long hash). For example >> specialized subclass could limit the seach for a free slot to n >> recursions or choose to ignore the hash argument and calculate its own >> hash of the key. > > Or, rather, the specialized subclass could implement hash randomization. Yeah! I was thinking about the same when I wrote "calculate its own hash" but I was too sloppy to carry on my argument. Please take 3am as my excuse. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com