[Python-Dev] Make str/bytes hash algorithm pluggable? (original) (raw)

Antoine Pitrou solipsis at pitrou.net
Fri Oct 4 11:57:39 CEST 2013


Le Fri, 4 Oct 2013 11:15:17 +0200, Victor Stinner <victor.stinner at gmail.com> a écrit :

2013/10/4 Armin Rigo <arigo at tunes.org>: > The current hash randomization is > simply not preventing anything; someone posted long ago a way to > recover bit-by-bit the hash randomized used by a remote web program > in Python running on a server.

Oh interesting, is it public? If yes, could we please search the URL of the exploit? I'm more motivated to fix an issue if it is proved to be exploitable. I still fail to understand the real impact of a hash DoS compared to other kinds of DoS. It's like the XML bomb: the vulnerability was also known since many years, but Christian only fixed the issue recently (and the fix was implemented in a package on the Cheeseshop, not in the stblib! Is that correct?). > The only benefit of this hash > randomization option (-R) was to say to the press that Python fixed > very quickly the problem when it was mediatized :-/ The real benefit is to warn users that they should not rely on the dictionary or set order/representation (in their unit tests), and that the hash function is not deterministic :-)

I agree it probably had educational value.

Regards

Antoine.



More information about the Python-Dev mailing list