Message151062
> OTOH, the collision counting patch is very simple, doesn't have
> the performance issues and provides real protection against the
> attack.
I don't know about real protection: you can still slow down dict
construction by 1000x (the number of allowed collisions per lookup),
which can be enough combined with a brute-force DOS.
Also, how about false positives? Having legitimate programs break
because of legitimate data would be a disaster. |
|
Date |
User |
Action |
Args |
2012-01-11 14:45:35 | pitrou | set | recipients:
+ pitrou, lemburg, gvanrossum, tim.peters, barry, georg.brandl, terry.reedy, jcea, vstinner, christian.heimes, benjamin.peterson, eric.araujo, Arfrever, v+python, alex, zbysz, skrah, dmalcolm, gz, Arach, Mark.Shannon, Zhiping.Deng, Huzaifa.Sidhpurwala, PaulMcMillan |
2012-01-11 14:45:34 | pitrou | link | issue13703 messages |
2012-01-11 14:45:34 | pitrou | create | |
|