[Python-Dev] Hash collision security issue (now public)

Nick Coghlan ncoghlan at gmail.com
Fri Jan 6 01:10:52 CET 2012

On Fri, Jan 6, 2012 at 8:15 AM, Serhiy Storchaka <storchaka at gmail.com> wrote:
> 05.01.12 21:14, Glenn Linderman написав(ла):
>> So, fixing the vulnerable packages could be a sufficient response,
>> rather than changing the hash function.  How to fix?  Each of those
>> above allocates and returns a dict.  Simply have each of those allocate
>> and return and wrapped dict, which has the following behaviors:
>> i) during __init__, create a local, random, string.
>> ii) for all key values, prepend the string, before passing it to the
>> internal dict.
> Good idea.

Not a good idea - a lot of the 3rd party tests that depend on dict
ordering are going to be using those modules anyway, so scattering our
solution across half the standard library is needlessly creating
additional work without really reducing the incompatibility problem.
If we're going to change anything, it may as well be the string
hashing algorithm itself.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list