<div dir="ltr">I thought you are right. Here is the source code in python 2.7.11:<div><br></div><div><div>long</div><div>PyObject_Hash(PyObject *v)</div><div>{</div><div> PyTypeObject *tp = v->ob_type;</div><div> if (tp->tp_hash != NULL)</div><div> return (*tp->tp_hash)(v);</div><div> /* To keep to the general practice that inheriting</div><div> * solely from object in C code should work without</div><div> * an explicit call to PyType_Ready, we implicitly call</div><div> * PyType_Ready here and then check the tp_hash slot again</div><div> */</div><div> if (tp->tp_dict == NULL) {</div><div> if (PyType_Ready(tp) < 0)</div><div> return -1;</div><div> if (tp->tp_hash != NULL)</div><div> return (*tp->tp_hash)(v);</div><div> }</div><div> if (tp->tp_compare == NULL && RICHCOMPARE(tp) == NULL) {</div><div> return _Py_HashPointer(v); /* Use address as hash value */</div><div> }</div><div> /* If there's a cmp but no hash defined, the object can't be hashed */</div><div> return PyObject_HashNotImplemented(v);</div><div>}</div></div><div><br></div><div>If object has hash function, it will be used. If not, _Py_HashPointer will be used. Which _Py_HashSecret are not used.</div><div>And I checked reference of _Py_HashSecret. Only bufferobject, unicodeobject and stringobject use _Py_HashSecret.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 17, 2016 at 9:54 AM, Steven D'Aprano <span dir="ltr"><<a href="mailto:steve@pearwood.info" target="_blank">steve@pearwood.info</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Tue, Feb 16, 2016 at 11:56:55AM -0800, Glenn Linderman wrote:<br>
> On 2/16/2016 1:48 AM, Christoph Groth wrote:<br>
> >Hello,<br>
> ><br>
> >Recent Python versions randomize the hashes of str, bytes and datetime<br>
> >objects. I suppose that the choice of these three types is the result<br>
> >of a compromise. Has this been discussed somewhere publicly?<br>
><br>
> Search archives of this list... it was discussed at length.<br>
<br>
</span>There's a lot of discussion on the mailing list. I think that this is<br>
the very start of it, in Dec 2011:<br>
<br>
<a href="https://mail.python.org/pipermail/python-dev/2011-December/115116.html" rel="noreferrer" target="_blank">https://mail.python.org/pipermail/python-dev/2011-December/115116.html</a><br>
<br>
and continuing into 2012, for example:<br>
<br>
<a href="https://mail.python.org/pipermail/python-dev/2012-January/115577.html" rel="noreferrer" target="_blank">https://mail.python.org/pipermail/python-dev/2012-January/115577.html</a><br>
<a href="https://mail.python.org/pipermail/python-dev/2012-January/115690.html" rel="noreferrer" target="_blank">https://mail.python.org/pipermail/python-dev/2012-January/115690.html</a><br>
<br>
and a LOT more, spread over many different threads and subject lines.<br>
<br>
You should also read the issue on the bug tracker:<br>
<br>
<a href="http://bugs.python.org/issue13703" rel="noreferrer" target="_blank">http://bugs.python.org/issue13703</a><br>
<br>
<br>
My recollection is that it was decided that only strings and bytes need<br>
to have their hashes randomized, because only strings and bytes can be<br>
used directly from user-input without first having a conversion step<br>
with likely input range validation. In addition, changing the hash for<br>
ints would break too much code for too little benefit: unlike strings,<br>
where hash collision attacks on web apps are proven and easy, hash<br>
collision attacks based on ints are more difficult and rare.<br>
<br>
See also the comment here:<br>
<br>
<a href="http://bugs.python.org/issue13703#msg151847" rel="noreferrer" target="_blank">http://bugs.python.org/issue13703#msg151847</a><br>
<span class=""><br>
<br>
<br>
> >I'm not a web programmer, but don't web applications also use<br>
> >dictionaries that are indexed by, say, tuples of integers?<br>
><br>
> Sure, and that is the biggest part of the reason they were randomized.<br>
<br>
</span>But they aren't, as far as I can see:<br>
<br>
[steve@ando 3.6]$ ./python -c "print(hash((23, 42, 99, 100)))"<br>
1071302475<br>
[steve@ando 3.6]$ ./python -c "print(hash((23, 42, 99, 100)))"<br>
1071302475<br>
<br>
Web apps can use dicts indexed by anything that they like, but unless<br>
there is an actual attack, what does it matter? Guido makes a good point<br>
about security here:<br>
<br>
<a href="https://mail.python.org/pipermail/python-dev/2013-October/129181.html" rel="noreferrer" target="_blank">https://mail.python.org/pipermail/python-dev/2013-October/129181.html</a><br>
<span class=""><br>
<br>
<br>
> I think hashes of all types have been randomized, not _just_ the list<br>
> you mentioned.<br>
<br>
</span>I'm pretty sure that's not actually the case. Using 3.6 from the repo<br>
(admittedly not fully up to date though), I can see hash randomization<br>
working for strings:<br>
<br>
[steve@ando 3.6]$ ./python -c "print(hash('abc'))"<br>
11601873<br>
[steve@ando 3.6]$ ./python -c "print(hash('abc'))"<br>
-<a href="tel:2009889747" value="+862009889747">2009889747</a><br>
<br>
but not for ints:<br>
<br>
[steve@ando 3.6]$ ./python -c "print(hash(42))"<br>
42<br>
[steve@ando 3.6]$ ./python -c "print(hash(42))"<br>
42<br>
<br>
<br>
which agrees with my recollection that only strings and bytes would be<br>
randomized.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
--<br>
Steve<br>
_______________________________________________<br>
Python-Dev mailing list<br>
<a href="mailto:Python-Dev@python.org">Python-Dev@python.org</a><br>
<a href="https://mail.python.org/mailman/listinfo/python-dev" rel="noreferrer" target="_blank">https://mail.python.org/mailman/listinfo/python-dev</a><br>
Unsubscribe: <a href="https://mail.python.org/mailman/options/python-dev/shell909090%40gmail.com" rel="noreferrer" target="_blank">https://mail.python.org/mailman/options/python-dev/shell909090%40gmail.com</a><br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">彼節者有間,而刀刃者無厚;以無厚入有間,恢恢乎其於游刃必有餘地矣。<br>blog: <a href="http://shell909090.org/blog/" target="_blank">http://shell909090.org/blog/</a><div>twitter: <a href="https://twitter.com/shell909090" target="_blank">@shell909090</a><br><a href="http://about.me" target="_blank">about.me</a>: <a href="http://about.me/shell909090" target="_blank">http://about.me/shell909090</a></div></div></div>
</div>