[ Dualan____Moyan ]

Python,Linux,开源,经济,篮球皆是我的爱(玩 Bottle 的) ...

↑我也要推荐

Bottle 开发框架 Security release 0.10.7

发布时间:2012-01-02 21:26:53, 关注:+4827, 赞美:+4, 不爽:+7

I just released 0.10.7 (security release). It fixes a possible DoS
vulnerability that is caused by hash collisions in CPython dicts.

This bug is not specific to bottle. I you are using other frameworks,
check for updates there too.

Details:
https://cryptanalysis.eu/blog/2011/12/28/effective-dos-attacks-against-web-application-plattforms-hashdos/

"If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request."

This workaround limits the number of GET, POST and cookie parameters to
a reasonable number of 100 key/value pairs per request, reducing the
effectiveness of attacks. Normal web applications should not need to
process more than 100 parameters per request, but this limit can be
changed by setting Request.MAX_PARAMS to a different value.

Some more links:
http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html
http://www.nruns.com/_downloads/advisory28122011.pdf
https://github.com/defnull/bottle/commit/6946695b69f5493fb063c351400ff759323a31aa

如果你觉得本站对你有帮助,欢迎向本站赞助 :P

使用支付宝捐赠

Copyright© Python4cn(news, jobs) simple-is-better.com, 技术驱动:powered by web.py 空间主机:Webfaction

版权申明:文章转载已注明出处,如有疑问请来信咨询。本站为 python 语言推广公益网站,与 python 官方没有任何关系。

联系/投搞/留言: en.simple.is.better@gmail.com 向本站捐赠