[Python-Dev] Hash collision security issue (now public)
Glenn Linderman
v+python at g.nevcal.com
Thu Jan 5 21:19:25 CET 2012
On 1/5/2012 11:49 AM, Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/05/2012 02:14 PM, Glenn Linderman wrote:
>> 1) the security problem is not in CPython, but rather in web servers
>> that use dict inappropriately.
> Most webapp vulnerabilities are due to their use of Python's cgi module,
> which it uses a dict to hold the form / query string data being supplied
> by untrusted external users.
Yes, I understand that (and have some such web apps in production).
In fact, I pointed out urllib.parse and cgi as specific modules for
which a proposed fix could be made without impacting the Python hash
function.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120105/ca008235/attachment.html>
More information about the Python-Dev
mailing list