[Python-Dev] Status of the fix for the hash collision vulnerability
Antoine Pitrou
solipsis at pitrou.net
Sat Jan 14 09:33:02 CET 2012
On Sat, 14 Jan 2012 04:45:57 +0100
martin at v.loewis.de wrote:
> > What an implementation looks like:
> >
> > http://pastebin.com/9ydETTag
> >
> > some stuff to be filled in, but this is all that is really required.
>
> I think this statement (and the patch) is wrong. You also need to change
> the byte string hashing, at least for 2.x. This I consider the biggest
> flaw in that approach - other people may have written string-like objects
> which continue to compare equal to a string but now hash different.
They're unlikely to have rewritten the hash algorithm by hand -
especially given the caveats wrt. differences between Python integers
and C integers.
Rather, they would have returned the hash() of the equivalent str or
unicode object.
Regards
Antoine.
More information about the Python-Dev
mailing list