From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id pBUHh2eD027043 for ; Fri, 30 Dec 2011 18:43:02 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgUCACr3/U7UGyoFlGdsb2JhbABDrE8iAQEBAQkLCQkUAyKBcgEBBTpPC0YUd4dhtXqIdYI3YwSVAYVfjFc X-IronPort-AV: E=Sophos;i="4.71,433,1320620400"; d="scan'208";a="137303901" Received: from smtp5-g21.free.fr ([212.27.42.5]) by mail1-smtp-roc.national.inria.fr with ESMTP; 30 Dec 2011 18:42:56 +0100 Received: from yeeloong (unknown [82.67.194.89]) by smtp5-g21.free.fr (Postfix) with SMTP id 34A4CD485FD for ; Fri, 30 Dec 2011 18:42:48 +0100 (CET) Received: by yeeloong (sSMTP sendmail emulation); Fri, 30 Dec 2011 18:40:30 +0100 Date: Fri, 30 Dec 2011 18:40:30 +0100 From: rixed@happyleptic.org To: caml-list@inria.fr Message-ID: <20111230174030.GA29317@yeeloong.happyleptic.org> References: <1325263446.5036.104.camel@samsung> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1325263446.5036.104.camel@samsung> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: [Caml-list] Hashtbl and security I will probably tell something very stupid, but HTML specs do not prevent a client to post 1M values with the same name, so whatever your hash function you cannot do much, can you? The simplest solution I can think of that prevents all attacks of this kind (but could reject some valid POST in theory) would be to store the bucket lengths and use it to detect and reject "obviously biaised" insertions.