[Python-Dev] Hash collision security issue (now public)

Benjamin Peterson benjamin at python.org
Fri Jan 6 01:59:49 CET 2012

2012/1/5 Nick Coghlan <ncoghlan at gmail.com>:
> On Fri, Jan 6, 2012 at 10:07 AM, Steven D'Aprano <steve at pearwood.info> wrote:
>> Surely the way to verify the behaviour is to run this from the shell:
>> python -c print(hash("abcde"))
>> twice, and see that the calls return different values. (Or have I
>> misunderstood the way the fix is going to work?)
>> In any case, I wouldn't want to rely on the presence of a flag in the sys
>> module to verify the behaviour, I'd want to see for myself that hash
>> collisions are no longer predictable.
> More directly, you can just check that the hash of the empty string is non-zero.
> So -1 for a flag in the sys module - "hash('') != 0" should serve as a
> sufficient check whether or not process-level string hash
> randomisation is in effect.

What exactly is the disadvantage of a sys attribute? That would seem
preferable to an obscure incarnation like that.


More information about the Python-Dev mailing list