Message150559
Christian Heimes proposes the following change in its randomhash branch (see issue #13704):
- x = (Py_uhash_t) *p << 7;
+ x = Py_RndHashSeed + ((Py_uhash_t) *p << 7);
for (i = 0; i < len; i++)
x = (1000003U * x) ^ (Py_uhash_t) *p++;
x ^= (Py_uhash_t) len;
This change doesn't add any security if the attacker can inject any string and retreive the hash value. You can retreive directly Py_RndHashSeed using:
Py_RndHashSeed = intmask((hash("a") ^ len("a") ^ ord("a")) * DIVIDE) - (ord("a") << 7)
where intmask() truncates to a long (x mod 2^(long bits)) and DIVIDE = 1/1000003 mod 2^(long bits). For example, DIVIDE=2021759595 for 32 bits long. |
|
Date |
User |
Action |
Args |
2012-01-04 00:22:37 | vstinner | set | recipients:
+ vstinner, gvanrossum, barry, georg.brandl, pitrou, christian.heimes, benjamin.peterson, alex, dmalcolm, PaulMcMillan |
2012-01-04 00:22:37 | vstinner | set | messageid: <1325636557.52.0.9529812418.issue13703@psf.upfronthosting.co.za> |
2012-01-04 00:22:36 | vstinner | link | issue13703 messages |
2012-01-04 00:22:36 | vstinner | create | |
|