Marc-Andre Lemburg <m...@egenix.com> added the comment: Mark Shannon wrote: > > Mark Shannon <m...@hotpy.org> added the comment: > >>>> * the method would need to be implemented for all hashable Python types >>> It was already discussed, and it was said that only hash(str) need to >>> be modified. >> >> Really ? What about the much simpler attack on integer hash values ? >> >> You only have to send a specially crafted JSON dictionary with integer >> keys to a Python web server providing JSON interfaces in order to >> trigger the integer hash attack. > > JSON objects are decoded as dicts with string keys, integers keys are > not possible. > > >>> json.loads(json.dumps({1:2})) > {'1': 2}
Thanks for the correction. Looks like XML-RPC also doesn't accept integers as dict keys. That's good :-) However, as Paul already noted, such attacks can also occur in other places or parsers in an application, e.g. when decoding FORM parameters that use integers to signal a line or parameter position (example: value_1=2&value_2=3...) which are then converted into a dictionary mapping the position integer to the data. marshal and pickle are vulnerable, but then you normally don't expose those to untrusted data. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13703> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com