Marc-Andre Lemburg <m...@egenix.com> added the comment:
On 07.10.2021 11:49, Inada Naoki wrote: > Hash DoS is not only for HTTP headers. Everywhere creating dict from > untrusted source can be attack vector. > For example, many API servers receive JSON as HTTP request body. Limiting > HTTP header don't protect it. That's certainly true, but at the same time, just focusing on string hashes only doesn't really help either, e.g. it is very easy to create a DoS with numeric keys or other objects which use trivial hashing algorithms. I wouldn't focus too much on this at the Python core level. Server implementations have other ways to protect themselves against DoS, e.g. by monitoring process memory, CPU load or runtime, applying limits on incoming data. IMO, it's much better to use application and use case specific methods for this, than trying to fix basic data types in Python to address the issue and making all Python application suffer as a result. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue29410> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
