Message349801
> shouldn't numerics, datetime objects, and tuples be non-deterministically hashed as well? [...]
Making the numeric hash non-predictable while maintaining its current properties would be difficult.
But fortunately, I don't think it's necessary. IIUC, the original DOS attack involved carefully-crafted collections of keywords and values being passed to a website backend, with that backend then putting those keywords and values into a Python dictionary. I'd expect that there are *way* more places where a dict is being constructed with string keys in this way than with numeric keys. In fact, I think it's reasonable to assume that there are no websites vulnerable to a DOS via *numeric* hash collisions until we see evidence otherwise.
FWIW, I'd expect the same to be true for datetime objects; I'm not sure why they were originally included. IANASE, but it seems to me that covering Unicode strings and bytestrings should be enough in practice. |
|
Date |
User |
Action |
Args |
2019-08-15 10:50:14 | mark.dickinson | set | recipients:
+ mark.dickinson, lemburg, rhettinger, belopolsky, christian.heimes, benjamin.peterson, dmalcolm, serhiy.storchaka, epicfaace |
2019-08-15 10:50:14 | mark.dickinson | set | messageid: <1565866214.8.0.841796888065.issue29535@roundup.psfhosted.org> |
2019-08-15 10:50:14 | mark.dickinson | link | issue29535 messages |
2019-08-15 10:50:14 | mark.dickinson | create | |
|