[Python-Dev] Status of the fix for the hash collision vulnerability (original) (raw)

Jeremy Sanders jeremy at jeremysanders.net
Tue Jan 17 16:44:21 CET 2012

• Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeremy Sanders wrote:

Victor Stinner wrote:

If hash(str1)&DICTMASK == hash(str2)&DICTMASK but hash(str1)!=hash(str2), strings are not compared (this is a common optimization in Python), and the so the attack would not be successful (it would be slow, but not as slow as comparing two strings). It's a shame the hash function can't take a second salt parameter to include in the hash. Each dict could have its own salt, generated from a quick pseudo-random generator.

Please ignore... forgot that the hashes are cached for strings!

Jeremy

• Previous message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Next message: [Python-Dev] Status of the fix for the hash collision vulnerability
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list