On Fri, Jan 20, 2012 at 2:35 PM, Frank Sievertsen <pydev at sievertsen.de> wrote: > Am 20.01.2012 16:33, schrieb Guido van Rossum: > >> (I'm thinking that the original attack is trivial once the set of 65000 >> colliding keys is public knowledge, which must be only a matter of time. > > > > I think it's very likely that this will happen soon. > > For ASP and PHP there is attack-payload publicly available. > PHP and ASP have patches to limit the number of query-variables. > > We're very lucky that there's no public payload for python yet, > and all non-public software and payload I'm aware of is based > upon my software. > > But this can change any moment. It's not really difficult to > write software to create 32bit-collisions. While we're debating the best fix, could we allow people to at least protect themselves against script-kiddies by offering fixes to cgi.py, django, webob and a few other popular frameworks that limits forms to 1000 keys? (I suppose it's really only POST requests that are vulnerable to script kiddies, because of the length restriction on URLs.) -- --Guido van Rossum (python.org/~guido)
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4