Marc-Andre Lemburg <m...@egenix.com> added the comment: Marc-Andre Lemburg wrote: > > 1. The security implications in all this is being somewhat overemphasized. > > There are many ways you can do a DoS attack on web servers. It's the > responsibility of the used web frameworks and servers to deal with > the possible cases. > > It's a good idea to provide some way to protect against hash > collision attacks, but that will only solve one possible way of > causing a resource attack on a server. > > There are other ways you can generate lots of CPU overhead with > little data input (e.g. think of targeting the search feature on > many Zope/Plone sites). > > In order to protect against such attacks in general, we'd have to > provide a way to control CPU time and e.g. raise an exception if too > much time is being spent on a simple operation such as a key insertion. > This can be done using timers, signals or even under OS control. > > The easiest way to protect against the hash collision attack is by > limiting the POST/GET/HEAD request size.
For GET and HEAD, web servers normally already apply such limitations at rather low levels: http://stackoverflow.com/questions/686217/maximum-on-http-header-values So only HTTP methods which carry data in the body part of the HTTP request are effected, e.g. POST and various WebDAV methods. > The second best way would be to limit the number of parameters that a > web framework accepts for POST/GET/HEAD request. Depending on how parsers are implemented, applications taking XML/JSON/XML-RPC/etc. as data input may also be vulnerable, e.g. non validating XML parsers which place element attributes into a dictionary or a JSON parser that has to read the JSON version of the dict I generated earlier on. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13703> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
