Re: Hash Table Collisions (n.runs-SA-2011.004)

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Hash Table Collisions (n.runs-SA-2011.004)
From: Javier Guerra Giraldez <javier@...>
Date: Thu, 29 Dec 2011 14:07:25 -0500

On Thu, Dec 29, 2011 at 1:55 PM, Mark Hamburg <mark@grubmah.com> wrote:
> A secure implementation would introduce some randomizing element per run or per Lua universe that would result in hash values that would collide under some conditions not colliding under others.

this seems to be what Perl and Ruby did, and what Python doesn't want
to (relegating the issue to web framework developers).

In Lua case, it seems that the problem isn't fixable at application
(or framework) level, since the string-interning mechanism has the
same weakness before one starts processing POST arguments into a
table.

Personally, i'm not that worried, because it seems that a proxy in
front of the Lua server mitigates most of the problem.  still, keeping
the issue open wouldn't do any good for Lua reputation and general
applicability.

I think that a simple solution, like making the char-skipping method
different for every Lua State should be enough.

-- 
Javier

Follow-Ups:
- Re: Hash Table Collisions (n.runs-SA-2011.004), Gé Weijers

References:
- Hash Table Collisions (n.runs-SA-2011.004), fredrik danerklint
- Re: Hash Table Collisions (n.runs-SA-2011.004), Michal Kottman
- Re: Hash Table Collisions (n.runs-SA-2011.004), Mark Hamburg

Prev by Date: Re: Hash Table Collisions (n.runs-SA-2011.004)
Next by Date: Re: Hash Table Collisions (n.runs-SA-2011.004)
Previous by thread: Re: Hash Table Collisions (n.runs-SA-2011.004)
Next by thread: Re: Hash Table Collisions (n.runs-SA-2011.004)
Index(es):
- Date
- Thread