From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail4-relais-sop.national.inria.fr (mail4-relais-sop.national.inria.fr [192.134.164.105]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id pBUHqOYA027287 for ; Fri, 30 Dec 2011 18:52:24 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Am8CALj5/U5KfVM2kGdsb2JhbABDhQ+XE4gcAYgICCIBAQEBCQkNBxQEIYFyAQEBAwESAg8dARsSCwEDAQsGBQQHGh0CAiIBEQEFAQoSGRIJB4dYCJkFCosdSIJrhFg/iHECBQuDcoR4ggSBFgSCWoVdjEuNfT2EGA X-IronPort-AV: E=Sophos;i="4.71,433,1320620400"; d="scan'208";a="125092201" Received: from mail-ee0-f54.google.com ([74.125.83.54]) by mail4-smtp-sop.national.inria.fr with ESMTP/TLS/RC4-SHA; 30 Dec 2011 18:52:11 +0100 Received: by eekc50 with SMTP id c50so17713470eek.27 for ; Fri, 30 Dec 2011 09:52:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RE1DfPwgxQYhDm1KDVuhVpxlRq7aTS216ruIjxgz6nk=; b=kz8emNTq5r4JSHWPR5cVDSBrO9dt076VL4VFGBli+XlmmpN+HJrrDs9VtPoaIqxr1x l6/mcnq9XON+Zmu+8q/FmWJ9PzIRZcsoXwIODAl+thCXyLY8dMVbBqiY3vqOTDaVjN5s 7bJ76sdTXidV/1urKJlV/nbR8scNupvEMmNA8= MIME-Version: 1.0 Received: by 10.14.122.136 with SMTP id t8mr16475328eeh.36.1325267531533; Fri, 30 Dec 2011 09:52:11 -0800 (PST) Received: by 10.213.9.210 with HTTP; Fri, 30 Dec 2011 09:52:11 -0800 (PST) In-Reply-To: <20111230174030.GA29317@yeeloong.happyleptic.org> References: <1325263446.5036.104.camel@samsung> <20111230174030.GA29317@yeeloong.happyleptic.org> Date: Fri, 30 Dec 2011 12:52:11 -0500 Message-ID: From: Edgar Friendly To: rixed@happyleptic.org Cc: caml-list@inria.fr Content-Type: multipart/alternative; boundary=e0cb4e7005bf730f5304b552e491 Subject: Re: [Caml-list] Hashtbl and security --e0cb4e7005bf730f5304b552e491 Content-Type: text/plain; charset=UTF-8 Not a problem, other than memory waste (which doesn't matter the key). Hashtbl.add prepends to the front of the list, so it'll be fast. And Hashtbl.find will match the head of the list, and return quickly too. Hashtbl.find_all will have to go through the whole list, but that's expected. E. On Fri, Dec 30, 2011 at 12:40 PM, wrote: > I will probably tell something very stupid, but HTML specs > do not prevent a client to post 1M values with the same name, > so whatever your hash function you cannot do much, can you? > > The simplest solution I can think of that prevents all attacks > of this kind (but could reject some valid POST in theory) would > be to store the bucket lengths and use it to detect and reject > "obviously biaised" insertions. > > > -- > Caml-list mailing list. Subscription management and archives: > https://sympa-roc.inria.fr/wws/info/caml-list > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs > > --e0cb4e7005bf730f5304b552e491 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Not a problem, other than memory waste (which doesn't matter the key).= =C2=A0 Hashtbl.add prepends to the front of the list, so it'll be fast.= =C2=A0 And Hashtbl.find will match the head of the list, and return quickly= too.=C2=A0 Hashtbl.find_all will have to go through the whole list, but th= at's expected.

E.

On Fri, Dec 30, 2011 at 12:40 PM, = <rixed@happy= leptic.org> wrote:
I will probably tell something very stupid, but HTML specs
do not prevent a client to post 1M values with the same name,
so whatever your hash function you cannot do much, can you?

The simplest solution I can think of that prevents all attacks
of this kind (but could reject some valid POST in theory) would
be to store the bucket lengths and use it to detect and reject
"obviously biaised" insertions.


--
Caml-list mailing list. =C2=A0Subscription management and archives:
https://sympa-roc.inria.fr/wws/info/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs


--e0cb4e7005bf730f5304b552e491--