[issue13703] Hash collision security issue
Marc-Andre Lemburg
report at bugs.python.org
Wed Jan 11 18:38:10 CET 2012
Marc-Andre Lemburg <mal at egenix.com> added the comment:
Mark Dickinson wrote:
>
> Mark Dickinson <dickinsm at gmail.com> added the comment:
>
> [Antoine]
>> Also, how about false positives? Having legitimate programs break
>> because of legitimate data would be a disaster.
>
> This worries me, too.
>
> [MAL]
>> Yes, which is why the patch should be disabled by default (using
>> an env var) in dot-releases.
>
> Are you proposing having it enabled by default in Python 3.3?
Possibly, yes. Depends on whether anyone comes up with a problem in
the alpha, beta, RC release cycle.
It would be great to have the universal hash method approach for
Python 3.3. That way Python could self-heal itself in case it
finds too many collisions. My guess is that it's still better
to raise an exception, though, since it would uncover either
attacks or programming errors.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue13703>
_______________________________________
More information about the Python-bugs-list
mailing list