Message 151062 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	Arach, Arfrever, Huzaifa.Sidhpurwala, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, eric.araujo, georg.brandl, gvanrossum, gz, jcea, lemburg, pitrou, skrah, terry.reedy, tim.peters, v+python, vstinner, zbysz
Date	2012-01-11.14:45:34
SpamBayes Score	1.3663166e-07
Marked as misclassified	No
Message-id	<1326293048.3531.6.camel@localhost.localdomain>
In-reply-to	<4F0D9DE3.6010509@egenix.com>

Content
> OTOH, the collision counting patch is very simple, doesn't have > the performance issues and provides real protection against the > attack. I don't know about real protection: you can still slow down dict construction by 1000x (the number of allowed collisions per lookup), which can be enough combined with a brute-force DOS. Also, how about false positives? Having legitimate programs break because of legitimate data would be a disaster.

> OTOH, the collision counting patch is very simple, doesn't have
> the performance issues and provides real protection against the
> attack.

I don't know about real protection: you can still slow down dict
construction by 1000x (the number of allowed collisions per lookup),
which can be enough combined with a brute-force DOS.

Also, how about false positives? Having legitimate programs break
because of legitimate data would be a disaster.

History
Date	User	Action	Args
2012-01-11 14:45:35	pitrou	set	recipients: + pitrou, lemburg, gvanrossum, tim.peters, barry, georg.brandl, terry.reedy, jcea, vstinner, christian.heimes, benjamin.peterson, eric.araujo, Arfrever, v+python, alex, zbysz, skrah, dmalcolm, gz, Arach, Mark.Shannon, Zhiping.Deng, Huzaifa.Sidhpurwala, PaulMcMillan
2012-01-11 14:45:34	pitrou	link	issue13703 messages
2012-01-11 14:45:34	pitrou	create