[Python-Dev] Status of the fix for the hash collision vulnerability

martin at v.loewis.de martin at v.loewis.de
Sat Jan 14 13:09:40 CET 2012

>> I think this statement (and the patch) is wrong. You also need to change
>> the byte string hashing, at least for 2.x. This I consider the biggest
>> flaw in that approach - other people may have written string-like objects
>> which continue to compare equal to a string but now hash different.
> They're unlikely to have rewritten the hash algorithm by hand -
> especially given the caveats wrt. differences between Python integers
> and C integers.

See the CHAR_HASH macro in

It's not *that* unlikely that more copies of that algorithm exist.


More information about the Python-Dev mailing list