[Python-Dev] Hash collision security issue (now public)
Nick Coghlan
ncoghlan at gmail.com
Fri Jan 6 02:33:50 CET 2012
On Fri, Jan 6, 2012 at 10:59 AM, Benjamin Peterson <benjamin at python.org> wrote:
> What exactly is the disadvantage of a sys attribute? That would seem
> preferable to an obscure incarnation like that.
Adding sys attributes in maintenance (or security) releases makes me nervous.
However, Victor and Christian are right about the need for a special
case to avoid leaking information, so my particular suggested check
won't work.
The most robust check would be to run sys.executable in a subprocess
and check if it gives the same hash for a non-empty string as the
current process.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Python-Dev
mailing list