This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author mark.dickinson
Recipients belopolsky, benjamin.peterson, christian.heimes, dmalcolm, epicfaace, lemburg, mark.dickinson, rhettinger, serhiy.storchaka
Date 2019-08-15.10:50:14
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
> shouldn't numerics, datetime objects, and tuples be non-deterministically hashed as well? [...]

Making the numeric hash non-predictable while maintaining its current properties would be difficult.

But fortunately, I don't think it's necessary. IIUC, the original DOS attack involved carefully-crafted collections of keywords and values being passed to a website backend, with that backend then putting those keywords and values into a Python dictionary. I'd expect that there are *way* more places where a dict is being constructed with string keys in this way than with numeric keys. In fact, I think it's reasonable to assume that there are no websites vulnerable to a DOS via *numeric* hash collisions until we see evidence otherwise.

FWIW, I'd expect the same to be true for datetime objects; I'm not sure why they were originally included. IANASE, but it seems to me that covering Unicode strings and bytestrings should be enough in practice.
Date User Action Args
2019-08-15 10:50:14mark.dickinsonsetrecipients: + mark.dickinson, lemburg, rhettinger, belopolsky, christian.heimes, benjamin.peterson, dmalcolm, serhiy.storchaka, epicfaace
2019-08-15 10:50:14mark.dickinsonsetmessageid: <>
2019-08-15 10:50:14mark.dickinsonlinkissue29535 messages
2019-08-15 10:50:14mark.dickinsoncreate