[Python-Dev] Status of the fix for the hash collision vulnerability

Antoine Pitrou solipsis at pitrou.net
Sat Jan 14 09:33:02 CET 2012

On Sat, 14 Jan 2012 04:45:57 +0100
martin at v.loewis.de wrote:
> > What an implementation looks like:
> >
> >  http://pastebin.com/9ydETTag
> >
> > some stuff to be filled in, but this is all that is really required.
> I think this statement (and the patch) is wrong. You also need to change
> the byte string hashing, at least for 2.x. This I consider the biggest
> flaw in that approach - other people may have written string-like objects
> which continue to compare equal to a string but now hash different.

They're unlikely to have rewritten the hash algorithm by hand -
especially given the caveats wrt. differences between Python integers
and C integers.
Rather, they would have returned the hash() of the equivalent str or
unicode object.



More information about the Python-Dev mailing list