[Python-Dev] Make str/bytes hash algorithm pluggable?
Antoine Pitrou
solipsis at pitrou.net
Fri Oct 4 11:57:39 CEST 2013
Le Fri, 4 Oct 2013 11:15:17 +0200,
Victor Stinner <victor.stinner at gmail.com> a écrit :
> 2013/10/4 Armin Rigo <arigo at tunes.org>:
> > The current hash randomization is
> > simply not preventing anything; someone posted long ago a way to
> > recover bit-by-bit the hash randomized used by a remote web program
> > in Python running on a server.
>
> Oh interesting, is it public? If yes, could we please search the URL
> of the exploit? I'm more motivated to fix an issue if it is proved to
> be exploitable.
>
> I still fail to understand the real impact of a hash DoS compared to
> other kinds of DoS. It's like the XML bomb: the vulnerability was also
> known since many years, but Christian only fixed the issue recently
> (and the fix was implemented in a package on the Cheeseshop, not in
> the stblib! Is that correct?).
>
> > The only benefit of this hash
> > randomization option (-R) was to say to the press that Python fixed
> > very quickly the problem when it was mediatized :-/
>
> The real benefit is to warn users that they should not rely on the
> dictionary or set order/representation (in their unit tests), and that
> the hash function is not deterministic :-)
I agree it probably had educational value.
Regards
Antoine.
More information about the Python-Dev
mailing list