[Python-Dev] Make str/bytes hash algorithm pluggable?
Victor Stinner
victor.stinner at gmail.com
Fri Oct 4 11:15:17 CEST 2013
2013/10/4 Armin Rigo <arigo at tunes.org>:
> The current hash randomization is
> simply not preventing anything; someone posted long ago a way to
> recover bit-by-bit the hash randomized used by a remote web program in
> Python running on a server.
Oh interesting, is it public? If yes, could we please search the URL
of the exploit? I'm more motivated to fix an issue if it is proved to
be exploitable.
I still fail to understand the real impact of a hash DoS compared to
other kinds of DoS. It's like the XML bomb: the vulnerability was also
known since many years, but Christian only fixed the issue recently
(and the fix was implemented in a package on the Cheeseshop, not in
the stblib! Is that correct?).
> The only benefit of this hash
> randomization option (-R) was to say to the press that Python fixed
> very quickly the problem when it was mediatized :-/
The real benefit is to warn users that they should not rely on the
dictionary or set order/representation (in their unit tests), and that
the hash function is not deterministic :-)
(So now it is much easier to replace the hash function with SipHash or
anything else, without breaking new applications.)
Victor
More information about the Python-Dev
mailing list