Author v+python
Recipients Arach, Arfrever, Huzaifa.Sidhpurwala, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, eric.araujo, georg.brandl, gvanrossum, gz, jcea, lemburg, pitrou, skrah, terry.reedy, tim.peters, v+python, vstinner
Date 2012-01-08.00:32:59
SpamBayes Score 1.1429e-05
Marked as misclassified No
Message-id <1325982780.36.0.940971927339.issue13703@psf.upfronthosting.co.za>
In-reply-to
Content
Alex, I agree the issue has to do with the origin of the data, but the modules listed are the ones that deal with the data supplied by this particular attack.

Note that changing the hash algorithm for a persistent process, even though each process may have a different seed or randomized source, allows attacks for the life of that process, if an attack vector can be created during its lifetime. This is not a problem for systems where each request is handled by a different process, but is a problem for systems where processes are long-running and handle many requests.

Regarding vulnerable user code, supplying SafeDict (or something similar) in the stdlib or as sample code for use in such cases allows user code to be fixed also.

You have entered the class of people that claim lots of vulnerabilities, without enumeration.
History
Date User Action Args
2012-01-08 12:36:35terry.reedyunlinkissue13703 messages
2012-01-08 00:33:00v+pythonsetrecipients: + v+python, lemburg, gvanrossum, tim.peters, barry, georg.brandl, terry.reedy, jcea, pitrou, vstinner, christian.heimes, benjamin.peterson, eric.araujo, Arfrever, alex, skrah, dmalcolm, gz, Arach, Mark.Shannon, Zhiping.Deng, Huzaifa.Sidhpurwala, PaulMcMillan
2012-01-08 00:33:00v+pythonsetmessageid: <1325982780.36.0.940971927339.issue13703@psf.upfronthosting.co.za>
2012-01-08 00:32:59v+pythonlinkissue13703 messages
2012-01-08 00:32:59v+pythoncreate