[issue13703] Hash collision security issue
report at bugs.python.org
Thu Jan 12 11:02:06 CET 2012
Graham Dumpleton <Graham.Dumpleton at gmail.com> added the comment:
Right back at the start it was said:
We haven't agreed whether the randomization should be enabled by default or disabled by default. IMHO it should be disabled for all releases except for the upcoming 3.3 release. The env var PYTHONRANDOMHASH=1 would enable the randomization. It's simple to set the env var in e.g. Apache for mod_python and mod_wsgi.
with a environment variable PYTHONHASHSEED still being mentioned towards the end.
Be aware that a user being able to set an environment variable which is used on Python interpreter initialisation when using mod_python or mod_wsgi is not as trivial as made out in leading comment.
To set an environment variable would require the setting of the environment variable to be done in the Apache etc init.d scripts, or if the Apache distro still follows Apache Software Foundation conventions, in the 'envvars' file.
Having to do this requires root access and is inconvenient, especially since where it needs to be done differs between every distro.
Where there are other environment variables that are useful to set for interpreter initialisation, mod_wsgi has been changed in the past to add specific directives for the Apache configuration file to set them prior to interpreter initialisation. This at least makes it somewhat easier, but still only of help where you are the admin of the server.
If that approach is necessary, then although mod_wsgi could eventually add such a directive, as mod_python is dead it will never happen for it.
As to another question posed about whether mod_wsgi itself is doing anything to combat this, the answer is no as don't believe there is anything it can do. Values like the query string or post data is simply passed through as is and always pulled apart by the application.
Python tracker <report at bugs.python.org>
More information about the Python-bugs-list