[Python-Dev] Status of the fix for the hash collision vulnerability
Jeremy Sanders
jeremy at jeremysanders.net
Tue Jan 17 16:44:21 CET 2012
Jeremy Sanders wrote:
> Victor Stinner wrote:
>
>> If hash(str1)&DICT_MASK == hash(str2)&DICT_MASK but
>> hash(str1)!=hash(str2), strings are not compared (this is a common
>> optimization in Python), and the so the attack would not be successful
>> (it would be slow, but not as slow as comparing two strings).
>
> It's a shame the hash function can't take a second salt parameter to
> include in the hash. Each dict could have its own salt, generated from a
> quick pseudo-random generator.
Please ignore... forgot that the hashes are cached for strings!
Jeremy
More information about the Python-Dev
mailing list