Would someone be so kind and explain why POST variables are stored in hash tables? What is the reasoning behind it? Speed? Or is this simply done at the Python level when using a dictionary type? Thank you
On Thu, Dec 29, 2011 at 11:19 AM, Christophe Pettus <x...@thebuild.com>wrote: > > On Dec 29, 2011, at 8:12 AM, Daniel Sokolowski wrote: > > > So this would effect django because of the CSRF token check --- which > requires the hash to be regenerated before comparing it yes? > > No, the problem is somewhat different. The attacker constructs a POST > request in which the field names are constructed to be a degenerate case of > a hash table. Since pretty much every web framework in existence > (including Django) automatically takes the incoming POST fields and inserts > them into a hash table (a Python dict being implemented as a hash table), > the framework will grind through this degenerate case very, very slowly. > > If I'm reading the paper correctly, it only applies to 32-bit Python > implementations, as the 64-bit ones are not practically vulnerable to this > attack. > > It's an interesting result, but I'm not sure how much to be worried about > it in the field. A SlowLoris or similar attack would seem to be far more > effective and less implementation-dependent. > -- > -- Christophe Pettus > x...@thebuild.com > > -- > You received this message because you are subscribed to the Google Groups > "Django developers" group. > To post to this group, send email to django-developers@googlegroups.com. > To unsubscribe from this group, send email to > django-developers+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/django-developers?hl=en. > > -- Daniel Sokolowski Web Engineer KL Insight http://klinsight.com/ Tel: 613-344-2116 | Fax: 613.634.7029 993 Princess Street, Suite 212 Kingston, ON K7L 1H3, Canada Notice of Confidentiality: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review re-transmission dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error please contact the sender immediately by return electronic transmission and then immediately delete this transmission including all attachments without copying distributing or disclosing same. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to django-developers@googlegroups.com. To unsubscribe from this group, send email to django-developers+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
