[Python-Dev] Hash collision security issue (now public)

Steven D'Aprano steve at pearwood.info
Fri Jan 6 01:07:27 CET 2012

David Malcolm wrote:

> When backporting the fix to ancient python versions, I'm inclined to
> turn the change *off* by default, requiring the change to be enabled via
> an environment variable: I want to avoid breaking existing code, even if
> such code is technically relying on non-guaranteed behavior.  But we
> could potentially tweak mod_python/mod_wsgi so that it defaults to *on*.
> That way /usr/bin/python would default to the old behavior, but web apps
> would have some protection.   Any such logic here also suggests the need
> for an attribute in the sys module so that you can verify the behavior.

Surely the way to verify the behaviour is to run this from the shell:

python -c print(hash("abcde"))

twice, and see that the calls return different values. (Or have I 
misunderstood the way the fix is going to work?)

In any case, I wouldn't want to rely on the presence of a flag in the sys 
module to verify the behaviour, I'd want to see for myself that hash 
collisions are no longer predictable.


More information about the Python-Dev mailing list