On Thu, Dec 29, 2011 at 10:32 AM, Daniel Sokolowski < daniel.sokolow...@klinsight.com> wrote:
> Would someone be so kind and explain why POST variables are stored in hash > tables? What is the reasoning behind it? Speed? Or is this simply done at > the Python level when using a dictionary type? Thank you > > > On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus <x...@thebuild.com>wrote: > >> >> On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: >> >> > So this would effect django because of the CSRF token check --- which >> requires the hash to be regenerated before comparing it yes? >> >> No, the problem is somewhat different. The attacker constructs a POST >> request in which the field names are constructed to be a degenerate case of >> a hash table. Since pretty much every web framework in existence >> (including Django) automatically takes the incoming POST fields and inserts >> them into a hash table (a Python dict being implemented as a hash table), >> the framework will grind through this degenerate case very, very slowly. >> >> If I'm reading the paper correctly, it only applies to 32-bit Python >> implementations, as the 64-bit ones are not practically vulnerable to this >> attack. >> >> It's an interesting result, but I'm not sure how much to be worried about >> it in the field. A SlowLoris or similar attack would seem to be far more >> effective and less implementation-dependent. >> -- >> -- Christophe Pettus >> x...@thebuild.com >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Django developers" group. >> To post to this group, send email to django-developers@googlegroups.com. >> To unsubscribe from this group, send email to >> django-developers+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/django-developers?hl=en. >> >> > > > -- > Daniel Sokolowski > Web Engineer > KL Insight > http://klinsight.com/ > Tel: 613-344-2116 | Fax: 613.634.7029 > 993 Princess Street, Suite 212 > Kingston, ON K7L 1H3, Canada > > > Notice of Confidentiality: > The information transmitted is intended only for the person or entity to > which it is addressed and may contain confidential and/or privileged > material. Any review re-transmission dissemination or other use of or > taking of any action in reliance upon this information by persons or > entities other than the intended recipient is prohibited. If you received > this in error please contact the sender immediately by return electronic > transmission and then immediately delete this transmission including all > attachments without copying distributing or disclosing same. > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > Well, what structure would you use to store them? POST variables are "obviously" a mapping of key to value, and the way one does that in Python is generally a dict (which are presently backed by a hashtable on every Python VM I know of). Alex -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
