[Python-Dev] Status of the fix for the hash collision vulnerability

Jeremy Sanders jeremy at jeremysanders.net
Tue Jan 17 16:39:03 CET 2012

Victor Stinner wrote:

> If hash(str1)&DICT_MASK == hash(str2)&DICT_MASK but
> hash(str1)!=hash(str2), strings are not compared (this is a common
> optimization in Python), and the so the attack would not be successful
> (it would be slow, but not as slow as comparing two strings).

It's a shame the hash function can't take a second salt parameter to include 
in the hash. Each dict could have its own salt, generated from a quick 
pseudo-random generator.


More information about the Python-Dev mailing list