Author gregory.p.smith
Recipients Arach, Arfrever, Huzaifa.Sidhpurwala, Jim.Jewett, Mark.Shannon, PaulMcMillan, Zhiping.Deng, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, eric.snow, fx5, georg.brandl, grahamd, gregory.p.smith, gvanrossum, gz, haypo, jcea, lemburg, mark.dickinson, merwok, neologix, pitrou, skrah, terry.reedy, tim.peters, v+python, zbysz
Date 2012-01-21.23:42:29
SpamBayes Score 1.29628e-10
Marked as misclassified No
Message-id <CAGE7PNJX1GmJpf9A=x-qS+LdBZMbp0=YRfn1KZhtKjNT2W9j8g@mail.gmail.com>
In-reply-to <1327185811.3382.28.camel@localhost.localdomain>
Content
On Sat, Jan 21, 2012 at 2:45 PM, Antoine Pitrou <report@bugs.python.org> wrote:
>
> Antoine Pitrou <pitrou@free.fr> added the comment:
>
>> You said above that it should be hardcoded; if so, how can it be changed
>> at run-time from an environment variable?  Or am I misunderstanding.
>
> You're right, I used the wrong word. I meant it should be a constant
> independently of the dict size. But, indeed, not hard-coded in the
> source.
>
>> > > BTW, presumably if we do it, we should do it for sets as well?
>> >
>> > Yeah, and use the same env var / sys function.
>>
>> Despite the "DICT" in the title?  OK.
>
> Well, dict is the most likely target for these attacks.
>

While true I wouldn't make that claim as there will be applications
using a set in a vulnerable manner. I'd prefer to see any such
environment variable name used to configure this behavior not mention
DICT or SET but just say HASHTABLE.  That is a much better bikeshed
color. ;)

I'm still in the hash seed randomization camp but I'm finding it
interesting all of the creative ways others are trying to "solve" this
problem in a way that could be enabled by default in stable versions
regardless. :)

-gps
History
Date User Action Args
2012-01-21 23:42:30gregory.p.smithsetrecipients: + gregory.p.smith, lemburg, gvanrossum, tim.peters, barry, georg.brandl, terry.reedy, jcea, mark.dickinson, pitrou, haypo, christian.heimes, benjamin.peterson, merwok, grahamd, Arfrever, v+python, alex, zbysz, skrah, dmalcolm, gz, neologix, Arach, Mark.Shannon, eric.snow, Zhiping.Deng, Huzaifa.Sidhpurwala, Jim.Jewett, PaulMcMillan, fx5
2012-01-21 23:42:30gregory.p.smithlinkissue13703 messages
2012-01-21 23:42:29gregory.p.smithcreate