STINNER Victor <victor.stin...@gmail.com> added the comment: It was decided to leave the hash randomization disabled by default for backward compatibility. It's a deliberate choice.
I don't think that we need to go further for Python 2.7. I never considered this denial of service attach as major, there are many other ways to trigger a DoS, and fixing the dict type is not the right way to prevent this class of attacks. HTTP clients and frameworks like http.client and Django implemented other countermeasures like limiting the number of HTTP headers. The problem was correctly fixed in Python 3: randomization enabled by default since Python 3.3, and Python 3.4 now uses SipHash which better hides the hash secret. More info at: * http://python-security.readthedocs.io/vuln/cve-2012-1150_hash_dos.html * http://python-security.readthedocs.io/vuln/cve-2013-7040_hash_not_properly_randomized.html ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue32175> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
