[Python-Dev] Hashes in Python3.5 for tuples and frozensets
Christian Heimes
christian at python.org
Wed May 16 21:41:49 EDT 2018
On 2018-05-16 18:10, Raymond Hettinger wrote:
>
>
>> On May 16, 2018, at 5:48 PM, Anthony Flury via Python-Dev <python-dev at python.org> wrote:
>>
>> However the frozen set hash, the same in both cases, as is the hash of the tuples - suggesting that the vulnerability resolved in Python 3.3 wasn't resolved across all potentially hashable values.
>
> You are correct. The hash randomization only applies to strings. None of the other object hashes were altered. Whether this is a vulnerability or not depends greatly on what is exposed to users (generally strings) and how it is used.
>
> For the most part, it is considered a feature that integers hash to themselves. That is very fast to compute :-) Also, it tends to prevent hash collisions for consecutive integers.
Raymond is 100% correct. Just one small nit pick: randomization applies
to both string and bytes.
Christian
More information about the Python-Dev
mailing list