[Python-Dev] Hash collision security issue (now public)
Christian Heimes
lists at cheimes.de
Thu Jan 5 22:46:06 CET 2012
Am 05.01.2012 21:10, schrieb Ethan Furman:
> Tres Seaver wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 01/05/2012 02:14 PM, Glenn Linderman wrote:
>>> 1) the security problem is not in CPython, but rather in web servers
>>> that use dict inappropriately.
>>
>> Most webapp vulnerabilities are due to their use of Python's cgi module,
>> which it uses a dict to hold the form / query string data being supplied
>> by untrusted external users.
>
> And Glenn suggested further down that an appropriate course of action
> would be to fix the cgi module (and others) instead of messing with dict.
You'd have to fix any Python core module that may handle data from
untrusted sources. The issue isn't limited to web apps and POST
requests. It's possible to trigger the DoS from JSON, a malicious PDF,
JPEG's EXIF metadata or any other data.
Oh, and somebody has to fix all 3rd party modules, too.
Christian
More information about the Python-Dev
mailing list