Enforcing hash randomization (was: [RELEASED] Second release candidates for Python 2.6.8, 2.7.3, 3.1.5, and 3.2.3)

Michael Ströder michael at stroeder.com
Tue Mar 20 19:49:55 CET 2012


Benjamin Peterson wrote:
> Hash randomization causes the iteration order of dicts and sets to be
> unpredictable and differ across Python runs. Python has never guaranteed
> iteration order of keys in a dict or set, and applications are advised to never
> rely on it. Historically, dict iteration order has not changed very often across
> releases and has always remained consistent between successive executions of
> Python. Thus, some existing applications may be relying on dict or set ordering.
> Because of this and the fact that many Python applications which don't accept
> untrusted input are not vulnerable to this attack, in all stable Python releases
> mentioned here, HASH RANDOMIZATION IS DISABLED BY DEFAULT. There are two ways to
> enable it. The -R commandline option can be passed to the python executable. It
> can also be enabled by setting an environmental variable PYTHONHASHSEED to
> "random". (Other values are accepted, too; pass -h to python for complete
> description.)

I wonder how I could enforce hash randomization from within a Python app
without too much hassle. I'd like to avoid having to rely on sys-admins doing
the right thing when installing my web2ldap.

I guess
os.environ['PYTHONHASHSEED'] = 'random'
before forking a process would be a solution. But is there another way?

Ciao, Michael.



More information about the Python-list mailing list