This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author lemburg
Recipients Mark.Shannon, christian.heimes, erlendaasland, gvanrossum, lemburg, methane, rhettinger, serhiy.storchaka, vstinner
Date 2021-10-07.09:58:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <34a6eadb-2434-9fc8-12dd-890a35e43671@egenix.com>
In-reply-to <1633600147.94.0.470520821987.issue29410@roundup.psfhosted.org>
Content 
On 07.10.2021 11:49, Inada Naoki wrote:
> Hash DoS is not only for HTTP headers. Everywhere creating dict from untrusted source can be attack vector.
> For example, many API servers receive JSON as HTTP request body. Limiting HTTP header don't protect it.

That's certainly true, but at the same time, just focusing on string
hashes only doesn't really help either, e.g. it is very easy to
create a DoS with numeric keys or other objects which use trivial
hashing algorithms.

I wouldn't focus too much on this at the Python core level.
Server implementations have other ways to protect themselves against
DoS, e.g. by monitoring process memory, CPU load or runtime, applying
limits on incoming data.

IMO, it's much better to use application and use case specific methods
for this, than trying to fix basic data types in Python to address
the issue and making all Python application suffer as a result.
History
Date User Action Args
2021-10-07 09:58:09lemburgsetrecipients: + lemburg, gvanrossum, rhettinger, vstinner, christian.heimes, methane, Mark.Shannon, serhiy.storchaka, erlendaasland
2021-10-07 09:58:09lemburglinkissue29410 messages
2021-10-07 09:58:09lemburgcreate