On Sun, 10 Sept 2023 at 16:37, David Bailey <d...@dbailey.co.uk> wrote:
>
> On 07/09/2023 00:07, Oscar Benjamin wrote:
> > Hi all,
> >
> > I have a new blog post following the last one:
> > https://oscarbenjamin.github.io/blog/czi/post2.html
> >
> > This one discusses SymPy's polynomial system, improvements that can be
> > made and in particular how to make use of python-flint to speed up
> > polynomial operations in SymPy.
> >
> > --
> > Oscar
> >
> Many thanks for that Oscar ,
>
> For me, it started out easy, but went above my head at some point -
> which is probably ideal for learning something new.
>
> I was amazed that converting an integer to a decimal string could cause
> a denial of service problem. Is that because it is used for public key
> encryption (RSA or similar), or just because a server processing
> mathematical problems online might be crashed in this way?
The worry is that you might have say a website where a user clicks on
some buttons and that sends some data to a server like
{
username: david
bonus_points: 100000000000000000
}
Then the server would parse the data like
bonus_points = int(data['bonus_points']) # convert the string to an integer
Then if an attacker sends many requests with long strings for
bonus_points the slow calls to int() might lock up the server. Of
course the server code could do something like:
if len(balance_string) > 100:
return Error("Absurd balance")
balance = int(balance_string)
The CPython folks decided that there were likely to be too many places
in too many codebases that used int() without considering this problem
and so it was not practical to fix them all.
--
Oscar
--
You received this message because you are subscribed to the Google Groups
"sympy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sympy+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/sympy/CAHVvXxT6z5vcFaqy_oPB3-yzBMukWLyqzPXv9GTFaeobYA5z1Q%40mail.gmail.com.
