[Python-Dev] Hash collision security issue (now public) (original) (raw)
Nick Coghlan ncoghlan at gmail.com
Fri Jan 6 02:33:50 CET 2012
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jan 6, 2012 at 10:59 AM, Benjamin Peterson <benjamin at python.org> wrote:
What exactly is the disadvantage of a sys attribute? That would seem preferable to an obscure incarnation like that.
Adding sys attributes in maintenance (or security) releases makes me nervous.
However, Victor and Christian are right about the need for a special case to avoid leaking information, so my particular suggested check won't work.
The most robust check would be to run sys.executable in a subprocess and check if it gives the same hash for a non-empty string as the current process.
Cheers, Nick.
-- Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]