[issue29410] Moving to SipHash-1-3
Inada Naoki
report at bugs.python.org
Thu Oct 7 05:49:07 EDT 2021
Inada Naoki <songofacandy at gmail.com> added the comment:
> I know that it's not a popular opinion, but I don't think that this denial of service (DoS) is important. IMO there are enough other ways to crash a server. Moreover, the initial attack vector was a HTTP request with tons of header lines. In the meanwhile, the Python http module was modified to put arbitrary limits on the number of HTTP headers and the maximum length of a single HTTP header.
Hash DoS is not only for HTTP headers. Everywhere creating dict from untrusted source can be attack vector.
For example, many API servers receive JSON as HTTP request body. Limiting HTTP header don't protect it.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue29410>
_______________________________________
More information about the Python-bugs-list
mailing list