[issue13703] Hash collision security issue
Alex Gaynor
report at bugs.python.org
Thu Jan 26 23:43:58 CET 2012
Alex Gaynor <alex.gaynor at gmail.com> added the comment:
On Thu, Jan 26, 2012 at 5:42 PM, Martin v. Löwis <report at bugs.python.org>wrote:
>
> Martin v. Löwis <martin at v.loewis.de> added the comment:
>
> > What happens if, instead of putting strings in a dictionary directly, I
> > have them wrapped in something. For example, the classes Antoine and I
> > pasted early. These define hash and equal as being strings, but don't
> have
> > an ordering.
>
> As Dave has analysed: the dictionary falls back to the current
> implementation.
> So wrt. your question "Is it still able to find the value?", the answer is
>
> Yes, certainly. It's fully backwackwards compatible, with the limitation
> in msg152030 (i.e. the dictionary order may change for dictionaries with
> string keys colliding in their hash() values).
>
> ----------
>
> _______________________________________
> Python tracker <report at bugs.python.org>
> <http://bugs.python.org/issue13703>
> _______________________________________
>
But using non-__builtin__.str objects (such as UserString) would expose the
user to an attack?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list