This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients PaulMcMillan, alex, barry, benjamin.peterson, christian.heimes, dmalcolm, georg.brandl, gvanrossum, pitrou, vstinner
Date 2012-01-04.00:22:36
SpamBayes Score 0.0008345594
Marked as misclassified No
Message-id <1325636557.52.0.9529812418.issue13703@psf.upfronthosting.co.za>
In-reply-to
Content 
Christian Heimes proposes the following change in its randomhash branch (see issue #13704):

-    x = (Py_uhash_t) *p << 7;
+    x = Py_RndHashSeed + ((Py_uhash_t) *p << 7);
     for (i = 0; i < len; i++)
         x = (1000003U * x) ^ (Py_uhash_t) *p++;
     x ^= (Py_uhash_t) len;

This change doesn't add any security if the attacker can inject any string and retreive the hash value. You can retreive directly Py_RndHashSeed using:

Py_RndHashSeed = intmask((hash("a") ^ len("a") ^ ord("a")) * DIVIDE) - (ord("a") << 7)

where intmask() truncates to a long (x mod 2^(long bits)) and DIVIDE = 1/1000003 mod 2^(long bits). For example, DIVIDE=2021759595 for 32 bits long.
History
Date User Action Args
2012-01-04 00:22:37vstinnersetrecipients: + vstinner, gvanrossum, barry, georg.brandl, pitrou, christian.heimes, benjamin.peterson, alex, dmalcolm, PaulMcMillan
2012-01-04 00:22:37vstinnersetmessageid: <1325636557.52.0.9529812418.issue13703@psf.upfronthosting.co.za>
2012-01-04 00:22:36vstinnerlinkissue13703 messages
2012-01-04 00:22:36vstinnercreate