String interning in Python 3 - missing or moved?

Stefan Behnel stefan_ml at
Tue Jan 24 03:17:00 EST 2012

Chris Angelico, 24.01.2012 05:47:
> Lua and Pike both quite happily solved hash collision attacks in their
> interning of strings by randomizing the hash used, because there's no
> way to rely on it. Presumably (based on the intern() docs) Python can
> do the same, if you explicitly intern your strings first. Is it worth
> recommending that people do this with anything that is
> client-provided, and then simply randomize the intern() hash?

If you want to encourage them to fill up their memory with user provided
data in a non-erasable way, then sure, that would certainly keep an
attacker from having to figure out hash collisions in order to bring down a
system. Sending *any* arbitrarily varied data would be enough then.


More information about the Python-list mailing list