[issue13703] Hash collision security issue
Marc-Andre Lemburg
report at bugs.python.org
Wed Jan 11 16:41:09 CET 2012
Marc-Andre Lemburg <mal at egenix.com> added the comment:
Mark Shannon wrote:
>
> Mark Shannon <mark at hotpy.org> added the comment:
>
>>>> * the method would need to be implemented for all hashable Python types
>>> It was already discussed, and it was said that only hash(str) need to
>>> be modified.
>>
>> Really ? What about the much simpler attack on integer hash values ?
>>
>> You only have to send a specially crafted JSON dictionary with integer
>> keys to a Python web server providing JSON interfaces in order to
>> trigger the integer hash attack.
>
> JSON objects are decoded as dicts with string keys, integers keys are
> not possible.
>
> >>> json.loads(json.dumps({1:2}))
> {'1': 2}
Thanks for the correction. Looks like XML-RPC also doesn't accept
integers as dict keys. That's good :-)
However, as Paul already noted, such attacks can also occur in other
places or parsers in an application, e.g. when decoding FORM parameters
that use integers to signal a line or parameter position (example:
value_1=2&value_2=3...) which are then converted into a dictionary
mapping the position integer to the data.
marshal and pickle are vulnerable, but then you normally don't expose
those to untrusted data.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list