Author pitrou
Recipients Arach, Arfrever, Huzaifa.Sidhpurwala, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, georg.brandl, gvanrossum, gz, haypo, jcea, lemburg, merwok, pitrou, skrah, terry.reedy, tim.peters, v+python, zbysz
Date 2012-01-11.14:45:34
SpamBayes Score 1.36632e-07
Marked as misclassified No
Message-id <1326293048.3531.6.camel@localhost.localdomain>
In-reply-to <4F0D9DE3.6010509@egenix.com>
Content
> OTOH, the collision counting patch is very simple, doesn't have
> the performance issues and provides real protection against the
> attack.

I don't know about real protection: you can still slow down dict
construction by 1000x (the number of allowed collisions per lookup),
which can be enough combined with a brute-force DOS.

Also, how about false positives? Having legitimate programs break
because of legitimate data would be a disaster.
History
Date User Action Args
2012-01-11 14:45:35pitrousetrecipients: + pitrou, lemburg, gvanrossum, tim.peters, barry, georg.brandl, terry.reedy, jcea, haypo, christian.heimes, benjamin.peterson, merwok, Arfrever, v+python, alex, zbysz, skrah, dmalcolm, gz, Arach, Mark.Shannon, Zhiping.Deng, Huzaifa.Sidhpurwala, PaulMcMillan
2012-01-11 14:45:34pitroulinkissue13703 messages
2012-01-11 14:45:34pitroucreate