[issue13703] Hash collision security issue
Marc-Andre Lemburg
report at bugs.python.org
Wed Jan 18 19:59:57 CET 2012
Marc-Andre Lemburg <mal at egenix.com> added the comment:
STINNER Victor wrote:
>
> Patch version 7:
> - Make PyOS_URandom() private (renamed to _PyOS_URandom)
> - os.urandom() releases the GIL for I/O operation for its implementation reading /dev/urandom
> - move _Py_unicode_hash_secret_t documentation into unicode_hash()
>
> I moved also fixes for tests in a separated patch: random_fix-tests.patch.
Don't you think that the number of corrections you have to apply in order
to get the tests working again shows how much impact such a change would
have in real-world applications ?
Perhaps we should start to think about a compromise: make both the
collision counting and the hash seeding optional and let the user
decide which option is best.
BTW: The patch still includes the unnecessary _Py_unicode_hash_secret.suffix
which needlessly complicates the code and doesn't any additional
protection against hash value collisions.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list