[Python-Dev] Hash collision security issue (now public)
Ethan Furman
ethan at stoneleaf.us
Thu Jan 5 21:10:35 CET 2012
Tres Seaver wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/05/2012 02:14 PM, Glenn Linderman wrote:
>> 1) the security problem is not in CPython, but rather in web servers
>> that use dict inappropriately.
>
> Most webapp vulnerabilities are due to their use of Python's cgi module,
> which it uses a dict to hold the form / query string data being supplied
> by untrusted external users.
And Glenn suggested further down that an appropriate course of action
would be to fix the cgi module (and others) instead of messing with dict.
~Ethan~
More information about the Python-Dev
mailing list