On Thu, 29 Dec 2011 03:55:22 +0100 Christian Heimes <li...@cheimes.de> wrote: > > I've been dealing with web stuff and security for almost a decade. I've > seen far worse attack vectors. This one can easily be solved with a > couple of lines of Python code. For example Application developers can > limit the maximum amount of POST parameters to a sensible amount and > limit the length of each key, too.
Shouldn't the setting be implemented by frameworks? > CPython could aid developers with a special subclass of dict. The > crucial lookup function is already overwrite-able per dict instance and > on subclasses of dict through PyDictObj's struct member PyDictEntry > *(*ma_lookup)(PyDictObject *mp, PyObject *key, long hash). For example > specialized subclass could limit the seach for a free slot to n > recursions or choose to ignore the hash argument and calculate its own > hash of the key. Or, rather, the specialized subclass could implement hash randomization. Regards Antoine. _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
