[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: Hash Table Collisions (n.runs-SA-2011.004)
- From: Javier Guerra Giraldez <javier@...>
- Date: Thu, 29 Dec 2011 14:07:25 -0500
On Thu, Dec 29, 2011 at 1:55 PM, Mark Hamburg <firstname.lastname@example.org> wrote:
> A secure implementation would introduce some randomizing element per run or per Lua universe that would result in hash values that would collide under some conditions not colliding under others.
this seems to be what Perl and Ruby did, and what Python doesn't want
to (relegating the issue to web framework developers).
In Lua case, it seems that the problem isn't fixable at application
(or framework) level, since the string-interning mechanism has the
same weakness before one starts processing POST arguments into a
Personally, i'm not that worried, because it seems that a proxy in
front of the Lua server mitigates most of the problem. still, keeping
the issue open wouldn't do any good for Lua reputation and general
I think that a simple solution, like making the char-skipping method
different for every Lua State should be enough.