Author mark.dickinson
Recipients congma, mark.dickinson, rhettinger, tim.peters
Date 2021-03-11.19:54:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1615492471.08.0.952153924.issue43475@roundup.psfhosted.org>
In-reply-to
Content
> I also wonder if there's security implication for servers that process user-submitted input

Yes, the "malicious actor" scenario is another one to consider. But unlike the string hashing attack, I'm not seeing a realistic way for the nan hash collisions to be used in attacks, and I'm content not to worry about that until someone gives an actual proof of concept. Many of Python's hash functions are fairly predictable (by design!) and there are already lots of other ways to deliberately construct lots of hash collisions with non-string non-float values.
History
Date User Action Args
2021-03-11 19:54:31mark.dickinsonsetrecipients: + mark.dickinson, tim.peters, rhettinger, congma
2021-03-11 19:54:31mark.dickinsonsetmessageid: <1615492471.08.0.952153924.issue43475@roundup.psfhosted.org>
2021-03-11 19:54:31mark.dickinsonlinkissue43475 messages
2021-03-11 19:54:31mark.dickinsoncreate