[Python-Dev] Hash collision security issue (now public)

Nick Coghlan ncoghlan at gmail.com
Fri Jan 6 01:34:55 CET 2012

On Fri, Jan 6, 2012 at 10:07 AM, Steven D'Aprano <steve at pearwood.info> wrote:
> Surely the way to verify the behaviour is to run this from the shell:
> python -c print(hash("abcde"))
> twice, and see that the calls return different values. (Or have I
> misunderstood the way the fix is going to work?)
> In any case, I wouldn't want to rely on the presence of a flag in the sys
> module to verify the behaviour, I'd want to see for myself that hash
> collisions are no longer predictable.

More directly, you can just check that the hash of the empty string is non-zero.

So -1 for a flag in the sys module - "hash('') != 0" should serve as a
sufficient check whether or not process-level string hash
randomisation is in effect.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Python-Dev mailing list