Message388522
> I also wonder if there's security implication for servers that process user-submitted input
Yes, the "malicious actor" scenario is another one to consider. But unlike the string hashing attack, I'm not seeing a realistic way for the nan hash collisions to be used in attacks, and I'm content not to worry about that until someone gives an actual proof of concept. Many of Python's hash functions are fairly predictable (by design!) and there are already lots of other ways to deliberately construct lots of hash collisions with non-string non-float values. |
|
Date |
User |
Action |
Args |
2021-03-11 19:54:31 | mark.dickinson | set | recipients:
+ mark.dickinson, tim.peters, rhettinger, congma |
2021-03-11 19:54:31 | mark.dickinson | set | messageid: <1615492471.08.0.952153924.issue43475@roundup.psfhosted.org> |
2021-03-11 19:54:31 | mark.dickinson | link | issue43475 messages |
2021-03-11 19:54:31 | mark.dickinson | create | |
|