[Python-Dev] Status of the fix for the hash collision vulnerability

Victor Stinner victor.stinner at haypocalc.com
Tue Jan 17 13:28:52 CET 2012

I finished my patch transforming hash(str) to a randomized hash
function, see random-8.patch attached to the issue:

The remaining question is which random number generator should be used
on Windows to initialize the hash secret (CryptoGen adds an overhead
of 10%, at least when the DLL is loaded dynamically), read the issue
for the details.

I plan to commit my fix to Python 3.3 if it is accepted. Then write a
simplified version to Python 3.2 and backport it to 3.1. Then backport
the simplified fix to 2.7, and finally to 2.6.

The vulnerability is public since one month, it is maybe time to fix
it before it is widely exploited.


More information about the Python-Dev mailing list