Thanks On Thu, Dec 29, 2011 at 11:36 AM, Alex Gaynor <alex.gay...@gmail.com> wrote:
> > > On Thu, Dec 29, 2011 at 10:32 AM, Daniel Sokolowski < > daniel.sokolow...@klinsight.com> wrote: > >> Would someone be so kind and explain why POST variables are stored in >> hash tables? What is the reasoning behind it? Speed? Or is this simply done >> at the Python level when using a dictionary type? Thank you >> >> >> On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus <x...@thebuild.com>wrote: >> >>> >>> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: >>> >>> > So this would effect django because of the CSRF token check --- which >>> requires the hash to be regenerated before comparing it yes? >>> >>> No, the problem is somewhat different. The attacker constructs a POST >>> request in which the field names are constructed to be a degenerate case of >>> a hash table. Since pretty much every web framework in existence >>> (including Django) automatically takes the incoming POST fields and inserts >>> them into a hash table (a Python dict being implemented as a hash table), >>> the framework will grind through this degenerate case very, very slowly. >>> >>> If I'm reading the paper correctly, it only applies to 32-bit Python >>> implementations, as the 64-bit ones are not practically vulnerable to this >>> attack. >>> >>> It's an interesting result, but I'm not sure how much to be worried >>> about it in the field. A SlowLoris or similar attack would seem to be far >>> more effective and less implementation-dependent. >>> -- >>> -- Christophe Pettus >>> x...@thebuild.com >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Django developers" group. >>> To post to this group, send email to django-developers@googlegroups.com. >>> To unsubscribe from this group, send email to >>> django-developers+unsubscr...@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/django-developers?hl=en. >>> >>> >> >> >> -- >> Daniel Sokolowski >> Web Engineer >> KL Insight >> http://klinsight.com/ >> Tel: 613-344-2116 | Fax: 613.634.7029 >> 993 Princess Street, Suite 212 >> Kingston, ON K7L 1H3, Canada >> >> >> Notice of Confidentiality: >> The information transmitted is intended only for the person or entity to >> which it is addressed and may contain confidential and/or privileged >> material. Any review re-transmission dissemination or other use of or >> taking of any action in reliance upon this information by persons or >> entities other than the intended recipient is prohibited. If you received >> this in error please contact the sender immediately by return electronic >> transmission and then immediately delete this transmission including all >> attachments without copying distributing or disclosing same. >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> > > Well, what structure would you use to store them? POST variables are > "obviously" a mapping of key to value, and the way one does that in Python > is generally a dict (which are presently backed by a hashtable on every > Python VM I know of). > > Alex > > -- > "I disapprove of what you say, but I will defend to the death your right > to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) > "The people's good is the highest law." -- Cicero > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
