[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Real-World Impact of Hash DoS in Lua
- From: Alexander Gladysh <agladysh@...>
- Date: Fri, 20 Jan 2012 00:26:11 +0400
On Thu, Jan 19, 2012 at 22:02, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
>> Actually the right thing to do is have a 0 hash value for these strings and
>> then when the string is actually used in a table by a Lua programmer hash
>> the entire string to get its value. That way the security of the system is
>> protected (because a randomized hash of the full string is used), but the
>> performance is still good as the hashing is delayed until needed.
> This is more in line with what we are considering. Also remember that we
> can use the variant bits to differentiate short strings from long strings.
> So, short strings can be compared with pointer equality and long strings
> with memcmp; short strings are never compared with long strings (as
> their tags are already different).
1) May we hope to get a fix for this issue backported to 5.1?
2) Anyone know about Mike Pall's position on the issue? I haven't seen
his reply in any of the related threads, but, maybe, I missed
something?
Alexander.
