String interning in Python 3 - missing or moved?
Stefan Behnel
stefan_ml at behnel.de
Tue Jan 24 03:17:00 EST 2012
Chris Angelico, 24.01.2012 05:47:
> Lua and Pike both quite happily solved hash collision attacks in their
> interning of strings by randomizing the hash used, because there's no
> way to rely on it. Presumably (based on the intern() docs) Python can
> do the same, if you explicitly intern your strings first. Is it worth
> recommending that people do this with anything that is
> client-provided, and then simply randomize the intern() hash?
If you want to encourage them to fill up their memory with user provided
data in a non-erasable way, then sure, that would certainly keep an
attacker from having to figure out hash collisions in order to bring down a
system. Sending *any* arbitrarily varied data would be enough then.
Stefan
More information about the Python-list
mailing list