Inada Naoki <songofaca...@gmail.com> added the comment:
> I know that it's not a popular opinion, but I don't think that this denial of > service (DoS) is important. IMO there are enough other ways to crash a > server. Moreover, the initial attack vector was a HTTP request with tons of > header lines. In the meanwhile, the Python http module was modified to put > arbitrary limits on the number of HTTP headers and the maximum length of a > single HTTP header. Hash DoS is not only for HTTP headers. Everywhere creating dict from untrusted source can be attack vector. For example, many API servers receive JSON as HTTP request body. Limiting HTTP header don't protect it. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue29410> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
