[Python-Dev] Hash collision security issue (now public) (original) (raw)
Antoine Pitrou solipsis at pitrou.net
Fri Jan 6 01:59:10 CET 2012
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 06 Jan 2012 01:50:00 +0100 Christian Heimes <lists at cheimes.de> wrote:
Am 06.01.2012 01:34, schrieb Nick Coghlan: > On Fri, Jan 6, 2012 at 10:07 AM, Steven D'Aprano <steve at pearwood.info> wrote: >> Surely the way to verify the behaviour is to run this from the shell: >> >> python -c print(hash("abcde")) >> >> twice, and see that the calls return different values. (Or have I >> misunderstood the way the fix is going to work?) >> >> In any case, I wouldn't want to rely on the presence of a flag in the sys >> module to verify the behaviour, I'd want to see for myself that hash >> collisions are no longer predictable. > > More directly, you can just check that the hash of the empty string is non-zero. > > So -1 for a flag in the sys module - "hash('') != 0" should serve as a > sufficient check whether or not process-level string hash > randomisation is in effect.
This might not work as we have to special case empty strings and perhaps \0 strings, too.
The special case value doesn't have to be zero. Make it age(Barry) for example (which, I think, is still representable in a 32-bit integer!).
Regards
Antoine.
- Previous message: [Python-Dev] Hash collision security issue (now public)
- Next message: [Python-Dev] Hash collision security issue (now public)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]