[Python-Dev] Status of the fix for the hash collision vulnerability

Lennart Regebro regebro at gmail.com
Fri Jan 13 12:20:28 CET 2012

On Fri, Jan 13, 2012 at 02:24, Victor Stinner
<victor.stinner at haypocalc.com> wrote:
> - Glenn Linderman proposes to fix the vulnerability by adding a new
> "safe" dict type (only accepting string keys). His proof-of-concept
> (SafeDict.py) uses a secret of 64 random bits and uses it to compute
> the hash of a key.

This is my preferred solution. The vulnerability is basically only in
the dictionary you keep the form data you get from a request. This
solves it easily and nicely. It can also be a separate module
installable for Python 2, which many web frameworks still use, so it
can be practical implementable now, and not in a couple of years.

Then again, nothing prevents us from having both this, *and* one of
the other solutions.  :-)


More information about the Python-Dev mailing list