[Python-Dev] Hash collision security issue (now public) (original) (raw)

Bill Janssen janssen at parc.com
Tue Jan 3 23:02:19 CET 2012

• Previous message: [Python-Dev] RNG in the core
• Next message: [Python-Dev] Hash collision security issue (now public)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christian Heimes <lists at cheimes.de> wrote:

Am 29.12.2011 12:13, schrieb Mark Shannon: > The attack relies on being able to predict the hash value for a given > string. Randomising the string hash function is quite straightforward. > There is no need to change the dictionary code. > > A possible (untested) patch is attached. I'll leave it for those more > familiar with unicodeobject.c to do properly.

I'm worried that hash randomization of str is going to break 3rd party software that rely on a stable hash across multiple Python instances. Persistence layers like ZODB and cross interpreter communication channels used by multiprocessing may (!) rely on the fact that the hash of a string is fixed.

Software that depends on an undefined hash function for synchronization and persistence deserves to break, IMO. There are plenty of well-defined hash functions available for this purpose.

Bill

• Previous message: [Python-Dev] RNG in the core
• Next message: [Python-Dev] Hash collision security issue (now public)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list