Friday, March 16, 2012

Python is going to have randomized hash function

Barry Warsaw committed a fix for "Randomize hashes of xml atributes in the hash table internal to the pyexpat module" to 2.6 on March 14. The patch was written by David Malcolm based on work by Victor Stinner and with modifications by the Expat project.

This is a collateral damage resulting from the much publicized hash function collision exploit. Expat is an XML parsing library that Python has a wrapper around. It was known to be vulnerable to the same O(N2) bug when one parses an XML element with many same-hash attributes such as wzzgDM51, ezzDlT7W, hzzfbyVV and so on.

Starting from Python 2.6.8rc2, there is a new switch -R, and an environment variable PYTHONHASHSEED that control this randomization.

The bottom line is: if you use Python 32-bit, do think of upgrading to 2.6.8 at the earliest convenience.

No comments:

Post a Comment