Victor Stinner <victor.stin...@haypocalc.com> wrote: > I propose to solve the hash collision vulnerability by counting > collisions [...]
> We now know all issues of the randomized hash solution, and I > think that there are more drawbacks than advantages. IMO the > randomized hash is overkill to fix the hash collision issue. For web frameworks, forcing an exception is less harmful than forcing a many-second delay, but I think it's hard to be confident that there aren't other vulnerable applications where it's the other way round. Web frameworks like the exception because they already have backstop exception handlers, and anyway they use short-lived processes and keep valuable data in databases rather than process memory. Web frameworks don't like the delay because they allow unauthenticated users to submit many requests (including multiple requests in parallel), and they normally expect each response to take little cpu time. But many programs are not like this. What about a log analyser or a mailing list archiver or a web crawler or a game server or some other kind of program we haven't considered? -M- _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
