Antoine Pitrou <pit...@free.fr> added the comment: > On my slow dev machine 1000 collisions run in around 22ms: > > python2.7 -m timeit -n 100 "dict((x*(2**64 - 1), 1) for x in xrange(1, 1000))" > 100 loops, best of 3: 22.4 msec per loop > > Using this for a DOS attack would be rather noisy, much unlike > sending a single POST.
Note that sending one POST is not enough, unless the attacker is content with blocking *one* worker process for a couple of seconds or minutes (which is a rather tiny attack if you ask me :-)). Also, you can combine many dicts in a single JSON list, so that the 1000 limit isn't overreached for any of the dicts. So in all cases the attacker would have to send many of these POST requests in order to overwhelm the target machine. That's how DOS attacks work AFAIK. > Yes, which is why the patch should be disabled by default (using > an env var) in dot-releases. It's probably also a good idea to > make the limit configurable to adjust to ones needs. Agreed if it's disabled by default then it's not a problem, but then Python is vulnerable by default... ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue13703> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
