[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: [ANN] Lua 5.2.1 (work1) now available
- From: David Heiko Kolf <kolf@...>
- Date: Fri, 23 Mar 2012 07:20:27 +0100
Xavier Wang wrote:
> for developers, just not using untrusted string for table key. that's
> not unacceptable.
A lot of data description formats do that. JSON, XML or parsing Lua
files directly in a sandbox. HTTP parameters are usually put in a hash
table, too.
> and if they need do so, the work1 patch may makes
> program very slow (think about a 1M string, character by character
> calculate hash value), that also is a DoS attack.
Compared to the hash collision attack that wouldn't be slow as the cost
for calculating the hash is just linear. The attacker would have the
same cost and the network traffic would be a lot slower than the
calculation cost. The hash collision creates quadratic costs. If you use
1 MB of data for a hash collision attack, you would have blocked the
process for several minutes.
- References:
- [ANN] Lua 5.2.1 (work1) now available, Luiz Henrique de Figueiredo
- Re: [ANN] Lua 5.2.1 (work1) now available, liam mail
- Re: [ANN] Lua 5.2.1 (work1) now available, liam mail
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, Enrico Colombini
- Re: [ANN] Lua 5.2.1 (work1) now available, Hans Hagen
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, Xavier Wang
- Re: [ANN] Lua 5.2.1 (work1) now available, Roberto Ierusalimschy
- Re: [ANN] Lua 5.2.1 (work1) now available, John Graham-Cumming
- Re: [ANN] Lua 5.2.1 (work1) now available, Xavier Wang
