[Python-Dev] Status of the fix for the hash collision vulnerability (original) (raw)
Antoine Pitrou solipsis at pitrou.net
Sat Jan 14 09:33:02 CET 2012
- Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Sat, 14 Jan 2012 04:45:57 +0100 martin at v.loewis.de wrote:
> What an implementation looks like: > > http://pastebin.com/9ydETTag > > some stuff to be filled in, but this is all that is really required.
I think this statement (and the patch) is wrong. You also need to change the byte string hashing, at least for 2.x. This I consider the biggest flaw in that approach - other people may have written string-like objects which continue to compare equal to a string but now hash different.
They're unlikely to have rewritten the hash algorithm by hand - especially given the caveats wrt. differences between Python integers and C integers. Rather, they would have returned the hash() of the equivalent str or unicode object.
Regards
Antoine.
- Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]