[Python-Dev] Hash collision security issue (now public)

Barry Warsaw barry at python.org
Thu Jan 5 21:45:58 CET 2012

On Jan 05, 2012, at 02:33 PM, David Malcolm wrote:

>We have similar issues in RHEL, with the Python versions going much
>further back (e.g. 2.3)
>When backporting the fix to ancient python versions, I'm inclined to
>turn the change *off* by default, requiring the change to be enabled via
>an environment variable: I want to avoid breaking existing code, even if
>such code is technically relying on non-guaranteed behavior.  But we
>could potentially tweak mod_python/mod_wsgi so that it defaults to *on*.
>That way /usr/bin/python would default to the old behavior, but web apps
>would have some protection.

This sounds like a reasonable compromise for all stable Python releases.  It
can be turned on by default for Python 3.3.  If you also make the default
setting easy to change (i.e. parameterized in one place), then distros can
make their own decision about the default, although I'd argue for the above
default approach for Debian/Ubuntu.

>Any such logic here also suggests the need for an attribute in the sys module
>so that you can verify the behavior.

That would be read-only though, right?


More information about the Python-Dev mailing list