[issue13703] Hash collision security issue

Dave Malcolm report at bugs.python.org
Mon Jan 30 02:44:15 CET 2012 

Dave Malcolm <dmalcolm at redhat.com> added the comment:

On Sat, 2012-01-28 at 23:56 +0000, Terry J. Reedy wrote:
> Terry J. Reedy <tjreedy at udel.edu> added the comment:
> 
> > I think you should check with randomization enabled, if only to see the
> > nature of the failures and if they are expected.
> 
> Including the list of when-enabled expected failures in the release 
> notes would help those who compile and test.

Am attaching a patch which fixes various problems that are clearly just
assumptions about dict ordering:
  fix-unittests-broken-by-randomization-dmalcolm-2012-01-29-001.patch

 json/__init__.py                        |    4 +++-
 test/mapping_tests.py                   |    2 +-
 test/test_descr.py                      |   12 +++++++++++-
 test/test_urllib.py                     |    4 +++-
 tkinter/test/test_ttk/test_functions.py |    2 +-
 5 files changed, 19 insertions(+), 5 deletions(-)

Here are the issues that it fixes:
Lib/test/test_descr.py: fix for intermittent failure due to dict repr:
      File "Lib/test/test_descr.py", line 4304, in test_repr
        self.assertEqual(repr(self.C.__dict__), 'dict_proxy({!r})'.format(dict_))
    AssertionError: "dict_proxy({'__module__': 'test.test_descr', '__dict__': <attribute '__dict__' of 'C' objects>, '__doc__': None, '__weakref__': <attribute '__weakref__' of 'C' objects>, 'meth': <function meth at 0x5834be0>})"
                 != "dict_proxy({'__module__': 'test.test_descr', '__doc__': None, '__weakref__': <attribute '__weakref__' of 'C' objects>, 'meth': <function meth at 0x5834be0>, '__dict__': <attribute '__dict__' of 'C' objects>})"

Lib/json/__init__.py: fix (based on haypo's work) for intermittent failure:
    Failed example:
        json.dumps([1,2,3,{'4': 5, '6': 7}], separators=(',', ':'))
    Expected:
        '[1,2,3,{"4":5,"6":7}]'
    Got:
        '[1,2,3,{"6":7,"4":5}]'

Lib/test/mapping_tests.py: fix (based on haypo's work) for intermittent failures of test_collections, test_dict, and test_userdict seen here:
    ======================================================================
    ERROR: test_update (__main__.GeneralMappingTests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "Lib/test/mapping_tests.py", line 207, in test_update
        i1 = sorted(d.items())
    TypeError: unorderable types: str() < int()

Lib/test/test_urllib.py: fix (based on haypo's work) for intermittent failure:
    ======================================================================
    FAIL: test_nonstring_seq_values (__main__.urlencode_Tests)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "Lib/test/test_urllib.py", line 844, in test_nonstring_seq_values
        urllib.parse.urlencode({"a": {"a": 1, "b": 1}}, True))
    AssertionError: 'a=a&a=b' != 'a=b&a=a'
    ----------------------------------------------------------------------

Lib/tkinter/test/test_ttk/test_functions.py: fix from haypo's patch for intermittent failure:
    Traceback (most recent call last):
      File "Lib/tkinter/test/test_ttk/test_functions.py", line 146, in test_format_elemcreate
        ('a', 'b'), a='x', b='y'), ("test a b", ("-a", "x", "-b", "y")))
    AssertionError: Tuples differ: ('test a b', ('-b', 'y', '-a',... != ('test a b', ('-a', 'x', '-b',...

I see two remaining issues (which this patch doesn't address):
test test_module failed -- Traceback (most recent call last):
  File "Lib/test/test_module.py", line 79, in test_clear_dict_in_ref_cycle
    self.assertEqual(destroyed, [1])
AssertionError: Lists differ: [] != [1]

test_multiprocessing
Exception AssertionError: AssertionError() in <Finalize object, dead> ignored

----------
Added file: http://bugs.python.org/file24366/unnamed

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unnamed
Type: text/x-patch
Size: 3683 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-bugs-list/attachments/20120130/90821f5a/attachment.bin>

More information about the Python-bugs-list mailing list