Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #19035

Re: Hash stability

Path csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!cs.uu.nl!news.stack.nl!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail
Return-Path <modelnine@modelnine.org>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.038
X-Spam-Evidence '*H*': 0.92; '*S*': 0.00; 'method,': 0.07; 'default)': 0.09; 'namespace': 0.09; 'caching': 0.16; 'filename,': 0.16; 'hashed': 0.16; 'received:10.2': 0.16; 'stability.': 0.16; '(which': 0.19; 'header:In-Reply-To:1': 0.22; 'thus': 0.23; 'cache': 0.24; 'suspect': 0.24; 'code': 0.25; '(in': 0.26; 'fix': 0.27; 'urls': 0.28; 'anyway.': 0.28; 'problem': 0.29; 'host': 0.30; 'hash': 0.30; 'least': 0.30; "didn't": 0.30; "i've": 0.31; '---': 0.31; 'actually': 0.32; 'actual': 0.32; 'header:User- Agent:1': 0.33; 'to:addr:python-list': 0.33; 'all.': 0.34; 'probably': 0.35; 'however,': 0.35; 'http': 0.36; 'received:org': 0.37; 'easier': 0.38; 'plain': 0.39; 'subject:: ': 0.39; 'change': 0.40; 'to:addr:python.org': 0.40; 'most': 0.60; 'quick': 0.60; 'relevant': 0.70; 'traffic': 0.71; 'news': 0.73; 'poison': 0.84; 'querying': 0.84
DKIM-Signature v=1; a=rsa-sha256; c=simple/simple; d=modelnine.org; s=modelnine1012; t=1326705319; bh=NfU9lS7nojzhQXvwT/oMV2D1o6HARr6hJeIr66i86gg=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=R3z+Xdpq84TGi83DclcTs5ETqaXBbmHWYAvUmouqw7bBMiBpr4Q9laIcBiopi7frx b87OII1i9c5tucvfxDneYKBMMIOhDw0jUkDgTGS4c+QxlHGJyl9bH26AZBYHcArUxj 2//JdAjCnUwfGC2B3QvsRxtY9goSmN0La9eNKKZ4=
Date Mon, 16 Jan 2012 10:15:17 +0100
From Heiko Wundram <modelnine@modelnine.org>
User-Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120111 Thunderbird/10.0
MIME-Version 1.0
To python-list@python.org
Subject Re: Hash stability
References <4f1107b7$0$29988$c3e8da3$5496439d@news.astraweb.com> <jeritr$4sb$1@dough.gmane.org> <4F1205A7.70303@modelnine.org> <jeu8t4$2kc$1@dough.gmane.org> <4F12BC8A.9040205@modelnine.org> <jeugdp$e1b$1@dough.gmane.org> <4F12F9D8.5080904@modelnine.org> <jf0mgu$8ue$1@dough.gmane.org> <jf0o0l$gua$1@dough.gmane.org>
In-Reply-To <jf0o0l$gua$1@dough.gmane.org>
Content-Type text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding 7bit
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.12
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.4789.1326705327.27778.python-list@python.org> (permalink)
Lines 24
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1326705327 news.xs4all.nl 6923 [2001:888:2000:d::a6]:55884
X-Complaints-To abuse@xs4all.nl
Xref x330-a1.tempe.blueboxinc.net comp.lang.python:19035

Show key headers only | View raw

Am 16.01.2012 09:44, schrieb Christian Heimes:
> Am 16.01.2012 09:18, schrieb Peter Otten:
>> I've taken a quick look into the suds source; the good news is that you have
>> to change a single method, reader.Reader.mangle(), to fix the problem with
>> hash stability.
>>
>> However, I didn't see any code to deal with hash collisions at all.
>
> It smells like suds is vulnerable to cache poisoning.

That it is, yes, at least partially. Generally, this is only relevant in 
case you are actually caching DTDs (which is the default) and in case 
you are querying untrusted SOAP-servers (in which case you'll most 
likely/should not use caching anyway), and in case the attacker has 
control over the URL namespace of a DTD-serving host (because the 
host-part of the DTD URL is used in the cache filename, unhashed, only 
the actual path is hashed to form the cache index).

The easier way to poison the cache is most probably through actual 
traffic modification, as most DTD URLs are served through plain http and 
thus are suspect to MitM-modifications, anyway.

-- 
--- Heiko.

Back to comp.lang.python | Previous | NextPrevious in thread | Find similar | Unroll thread

Thread

Hash stability Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2012-01-14 04:42 +0000
  Re: Hash stability Peter Otten <__peter__@web.de> - 2012-01-14 10:46 +0100
  Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-14 23:45 +0100
  Re: Hash stability Chris Angelico <rosuav@gmail.com> - 2012-01-15 11:36 +1100
    Re: Hash stability Bryan <bryanjugglercryptographer@yahoo.com> - 2012-01-15 04:03 -0800
      Re: Hash stability Chris Angelico <rosuav@gmail.com> - 2012-01-15 23:21 +1100
  Re: Hash stability Roy Smith <roy@panix.com> - 2012-01-14 21:26 -0500
    Re: Hash stability Terry Reedy <tjreedy@udel.edu> - 2012-01-14 23:07 -0500
  Re: Hash stability Stefan Behnel <stefan_ml@behnel.de> - 2012-01-15 11:13 +0100
  Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-15 12:46 +0100
  Re: Hash stability Peter Otten <__peter__@web.de> - 2012-01-15 13:22 +0100
  Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-15 17:07 +0100
  Re: Hash stability Chris Angelico <rosuav@gmail.com> - 2012-01-16 03:13 +1100
  Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-15 17:51 +0100
  Re: Hash stability Stefan Behnel <stefan_ml@behnel.de> - 2012-01-15 18:20 +0100
  Re: Hash stability Peter Otten <__peter__@web.de> - 2012-01-16 09:18 +0100
  Re: Hash stability Christian Heimes <lists@cheimes.de> - 2012-01-16 09:44 +0100
  Re: Hash stability Heiko Wundram <modelnine@modelnine.org> - 2012-01-16 10:15 +0100

csiph-web