lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Xavier Wang wrote:
> for developers, just not using untrusted string for table key. that's
> not unacceptable.

A lot of data description formats do that. JSON, XML or parsing Lua
files directly in a sandbox. HTTP parameters are usually put in a hash
table, too.

> and if they need do so, the work1 patch may makes
> program very slow (think about a 1M string, character by character
> calculate hash value), that also is a DoS attack.

Compared to the hash collision attack that wouldn't be slow as the cost
for calculating the hash is just linear. The attacker would have the
same cost and the network traffic would be a lot slower than the
calculation cost. The hash collision creates quadratic costs. If you use
1 MB of data for a hash collision attack, you would have blocked the
process for several minutes.