Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #19005
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!weretis.net!feeder1.news.weretis.net!feeder.erje.net!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <rosuav@gmail.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.002 |
| X-Spam-Evidence | '*H*': 1.00; '*S*': 0.00; 'situation.': 0.05; 'raised': 0.07; 'something,': 0.07; 'python': 0.08; '(it': 0.09; 'cookies,': 0.09; 'derived': 0.09; 'subclass': 0.09; 'exception': 0.12; 'received:209.85.210.174': 0.13; 'received:mail- iy0-f174.google.com': 0.13; 'apps.': 0.16; 'dictionaries': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'lookup': 0.16; 'lookups': 0.16; 'narrow': 0.16; 'occasionally': 0.16; 'query.': 0.16; 'scales': 0.16; 'subclassing': 0.16; 'wrote:': 0.16; 'arguments': 0.18; 'jan': 0.19; 'possibly': 0.19; 'posting': 0.20; 'downloaded': 0.21; 'maybe': 0.21; 'header:In- Reply-To:1': 0.22; 'dictionary': 0.23; 'etc,': 0.23; 'seemingly': 0.23; 'suggestion': 0.25; 'pm,': 0.26; 'stuff': 0.26; 'load': 0.26; "i'm": 0.27; 'compare': 0.28; 'separate': 0.28; 'message- id:@mail.gmail.com': 0.28; 'software.': 0.29; 'elsewhere': 0.30; 'liking': 0.30; 'sun,': 0.30; 'chris': 0.30; "i've": 0.31; 'developers': 0.31; 'does': 0.32; 'idea': 0.32; "won't": 0.33; 'done': 0.33; 'to:addr:python-list': 0.33; 'there': 0.33; 'too': 0.34; 'anything': 0.34; 'keys': 0.34; '...': 0.35; 'something': 0.35; 'suggestions': 0.35; 'response': 0.35; 'however,': 0.35; 'issue': 0.35; 'similar': 0.36; 'thread': 0.36; 'but': 0.37; 'options': 0.37; "there's": 0.37; 'received:google.com': 0.37; 'not,': 0.37; 'could': 0.37; 'received:209.85': 0.38; 'put': 0.38; 'point': 0.39; 'data,': 0.39; 'received:209': 0.39; 'subject:: ': 0.39; 'might': 0.40; 'to:addr:python.org': 0.40; 'extremely': 0.40; 'under': 0.40; 'huge': 0.60; 'quick': 0.60; 'your': 0.61; 'wide': 0.63; 'market': 0.64; 'internet': 0.64; 'secure': 0.67; 'enjoy': 0.68; 'dict,': 0.84; 'malicious': 0.84; 'notion': 0.84; 'python-dev': 0.84; 'software",': 0.84 |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Kk62/ic1R5j0T99tprG65ptGWmgV46MSr58t36skQu4=; b=bXgna4AIHy8UuK+2Vs0gScTwtywO4rdbJtPMEmJYTWN2c1xGYQgLrHOkAW2dYgR6LW EK6S0hvVJF4MrP5s8GdPcigfitzlFCYfeEtgChbh1VPfNEy4Ld4bEcD34ZBRjGv9fVD9 6P4ggbvlwtgVbX6cIjB0TIG0Na0wl8lRQBTnQ= |
| MIME-Version | 1.0 |
| In-Reply-To | <994ca5fa-59b0-4128-8f9a-696d46db6856@4g2000pbz.googlegroups.com> |
| References | <4f1107b7$0$29988$c3e8da3$5496439d@news.astraweb.com> <mailman.4756.1326587769.27778.python-list@python.org> <994ca5fa-59b0-4128-8f9a-696d46db6856@4g2000pbz.googlegroups.com> |
| Date | Sun, 15 Jan 2012 23:21:24 +1100 |
| Subject | Re: Hash stability |
| From | Chris Angelico <rosuav@gmail.com> |
| To | python-list@python.org |
| Content-Type | text/plain; charset=ISO-8859-1 |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.12 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.4768.1326630087.27778.python-list@python.org> (permalink) |
| Lines | 35 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1326630087 news.xs4all.nl 6988 [2001:888:2000:d::a6]:47241 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | x330-a1.tempe.blueboxinc.net comp.lang.python:19005 |
Show key headers only | View raw
On Sun, Jan 15, 2012 at 11:03 PM, Bryan <bryanjugglercryptographer@yahoo.com> wrote: > Chris Angelico wrote: >> Suggestion: Create a subclass of dict, the SecureDict or something, >> ... there's no point adding extra load to every >> name lookup just because of a security issue in an extremely narrow >> situation. > > That seemingly "extremely narrow situation" turns out to be wide as > Montana. Maybe Siberia. Does your program take input? Does it accept a > format that could possibly be downloaded from a malicious site on the > Internet? Does your market include users who occasionally make > mistakes? If not, enjoy your utter irrelevance. If so, > congratulations: you write Internet software. Yes, but in that "Internet software", there will only be a small number of dictionaries that an attacker can stuff with keys (GET/POST data, headers, cookies, etc, and anything derived therefrom); compare the huge number of dictionaries that exist elsewhere in your Python program. Adding load to dictionaries will add load to a huge number of lookups that can never come under attack. However, since posting that I've read the entire thread on the python-dev archive. (It is, I might mention, a LOT of text.) A number of suggestions and arguments are put forth, including a subclassing notion similar to my postulation, and the same point is raised: that app/framework developers won't secure their apps. Other options are also offered (personally, I'm liking the one where an exception is raised if something collides with too many keys - current suggestion 1000, although it could possibly work well with something that scales with the dictionary size), and I'm sure that something will be done that's a lot smarter than one quick idea spun off in response to a separate query. So, I retract this idea :) ChrisA
Back to comp.lang.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
Hash stability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2012-01-14 04:42 +0000
Re: Hash stability Peter Otten <__peter__@web.de> - 2012-01-14 10:46 +0100
Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-14 23:45 +0100
Re: Hash stability Chris Angelico <rosuav@gmail.com> - 2012-01-15 11:36 +1100
Re: Hash stability Bryan <bryanjugglercryptographer@yahoo.com> - 2012-01-15 04:03 -0800
Re: Hash stability Chris Angelico <rosuav@gmail.com> - 2012-01-15 23:21 +1100
Re: Hash stability Roy Smith <roy@panix.com> - 2012-01-14 21:26 -0500
Re: Hash stability Terry Reedy <tjreedy@udel.edu> - 2012-01-14 23:07 -0500
Re: Hash stability Stefan Behnel <stefan_ml@behnel.de> - 2012-01-15 11:13 +0100
Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-15 12:46 +0100
Re: Hash stability Peter Otten <__peter__@web.de> - 2012-01-15 13:22 +0100
Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-15 17:07 +0100
Re: Hash stability Chris Angelico <rosuav@gmail.com> - 2012-01-16 03:13 +1100
Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-15 17:51 +0100
Re: Hash stability Stefan Behnel <stefan_ml@behnel.de> - 2012-01-15 18:20 +0100
Re: Hash stability Peter Otten <__peter__@web.de> - 2012-01-16 09:18 +0100
Re: Hash stability Christian Heimes <lists@cheimes.de> - 2012-01-16 09:44 +0100
Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-16 10:15 +0100
csiph-web