Le Fri, 4 Oct 2013 11:15:17 +0200, Victor Stinner <victor.stin...@gmail.com> a écrit :
> 2013/10/4 Armin Rigo <ar...@tunes.org>: > > The current hash randomization is > > simply not preventing anything; someone posted long ago a way to > > recover bit-by-bit the hash randomized used by a remote web program > > in Python running on a server. > > Oh interesting, is it public? If yes, could we please search the URL > of the exploit? I'm more motivated to fix an issue if it is proved to > be exploitable. > > I still fail to understand the real impact of a hash DoS compared to > other kinds of DoS. It's like the XML bomb: the vulnerability was also > known since many years, but Christian only fixed the issue recently > (and the fix was implemented in a package on the Cheeseshop, not in > the stblib! Is that correct?). > > > The only benefit of this hash > > randomization option (-R) was to say to the press that Python fixed > > very quickly the problem when it was mediatized :-/ > > The real benefit is to warn users that they should not rely on the > dictionary or set order/representation (in their unit tests), and that > the hash function is not deterministic :-) I agree it probably had educational value. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
