Author gregory.p.smith
Recipients Arfrever, amaury.forgeotdarc, barry, benjamin.peterson, dmalcolm, georg.brandl, gregory.p.smith, pitrou
Date 2012-03-14.20:55:35
SpamBayes Score 1.63448e-07
Marked as misclassified No
Message-id <1331758536.53.0.888329444721.issue14234@psf.upfronthosting.co.za>
In-reply-to
Content
false alarm, thats just what happens when PYTHONHASHSEED=0 (I won't be committing the assert, I was just testing behavior).

For what its worth, the xmlparse.c generate_hash_seed() function is pretty poor as far as picking a random number goes as it is time based and it is often easy for an attacker to figure out the time on a process they're injecting data into and thus construct a targeted attack.  It is still better than nothing but it could be better.  I'd leave improving that up to the upstream expat project.

When PYTHONHASHSEED is enabled, pyexpat will never use that function. It does mean we use a constant seed for the life of the process when it is enabled, and revert to the expat behavior of using the expat parser creation time based seed otherwise.
History
Date User Action Args
2012-03-14 20:55:36gregory.p.smithsetrecipients: + gregory.p.smith, barry, georg.brandl, amaury.forgeotdarc, pitrou, benjamin.peterson, Arfrever, dmalcolm
2012-03-14 20:55:36gregory.p.smithsetmessageid: <1331758536.53.0.888329444721.issue14234@psf.upfronthosting.co.za>
2012-03-14 20:55:35gregory.p.smithlinkissue14234 messages
2012-03-14 20:55:35gregory.p.smithcreate