Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!gegeweb.org!de-l.enfer-du-nord.net!feeder1.enfer-du-nord.net!cs.uu.nl!news.stack.nl!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.038 X-Spam-Evidence: '*H*': 0.92; '*S*': 0.00; 'method,': 0.07; 'default)': 0.09; 'namespace': 0.09; 'caching': 0.16; 'filename,': 0.16; 'hashed': 0.16; 'received:10.2': 0.16; 'stability.': 0.16; '(which': 0.19; 'header:In-Reply-To:1': 0.22; 'thus': 0.23; 'cache': 0.24; 'suspect': 0.24; 'code': 0.25; '(in': 0.26; 'fix': 0.27; 'urls': 0.28; 'anyway.': 0.28; 'problem': 0.29; 'host': 0.30; 'hash': 0.30; 'least': 0.30; "didn't": 0.30; "i've": 0.31; '---': 0.31; 'actually': 0.32; 'actual': 0.32; 'header:User- Agent:1': 0.33; 'to:addr:python-list': 0.33; 'all.': 0.34; 'probably': 0.35; 'however,': 0.35; 'http': 0.36; 'received:org': 0.37; 'easier': 0.38; 'plain': 0.39; 'subject:: ': 0.39; 'change': 0.40; 'to:addr:python.org': 0.40; 'most': 0.60; 'quick': 0.60; 'relevant': 0.70; 'traffic': 0.71; 'news': 0.73; 'poison': 0.84; 'querying': 0.84 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=modelnine.org; s=modelnine1012; t=1326705319; bh=NfU9lS7nojzhQXvwT/oMV2D1o6HARr6hJeIr66i86gg=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=R3z+Xdpq84TGi83DclcTs5ETqaXBbmHWYAvUmouqw7bBMiBpr4Q9laIcBiopi7frx b87OII1i9c5tucvfxDneYKBMMIOhDw0jUkDgTGS4c+QxlHGJyl9bH26AZBYHcArUxj 2//JdAjCnUwfGC2B3QvsRxtY9goSmN0La9eNKKZ4= Date: Mon, 16 Jan 2012 10:15:17 +0100 From: Heiko Wundram User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20120111 Thunderbird/10.0 MIME-Version: 1.0 To: python-list@python.org Subject: Re: Hash stability References: <4f1107b7$0$29988$c3e8da3$5496439d@news.astraweb.com> <4F1205A7.70303@modelnine.org> <4F12BC8A.9040205@modelnine.org> <4F12F9D8.5080904@modelnine.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 24 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1326705327 news.xs4all.nl 6923 [2001:888:2000:d::a6]:55884 X-Complaints-To: abuse@xs4all.nl Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:19035 Am 16.01.2012 09:44, schrieb Christian Heimes: > Am 16.01.2012 09:18, schrieb Peter Otten: >> I've taken a quick look into the suds source; the good news is that you have >> to change a single method, reader.Reader.mangle(), to fix the problem with >> hash stability. >> >> However, I didn't see any code to deal with hash collisions at all. > > It smells like suds is vulnerable to cache poisoning. That it is, yes, at least partially. Generally, this is only relevant in case you are actually caching DTDs (which is the default) and in case you are querying untrusted SOAP-servers (in which case you'll most likely/should not use caching anyway), and in case the attacker has control over the URL namespace of a DTD-serving host (because the host-part of the DTD URL is used in the cache filename, unhashed, only the actual path is hashed to form the cache index). The easier way to poison the cache is most probably through actual traffic modification, as most DTD URLs are served through plain http and thus are suspect to MitM-modifications, anyway. -- --- Heiko.