Zitat von Victor Stinner <victor.stinner at haypocalc.com>: >> Each string would get two hashes: the "public" hash, which is constant >> across runs and bugfix releases, and the dict-hash, which is only used >> by the dictionary implementation, and only if all keys to the dict are >> strings. > > The distinction between secret (private, secure) and "public" hash > (deterministic) is not clear to me. It's not about privacy or security. It's about compatibility. The dict-hash is only used in the dict implementation, and never exposed, leaving the tp_hash unmodified. > Example: collections.UserDict implements __hash__() using > hash(self.data). Are you sure? I only see that used for UserString, not UserDict. > collections.abc.Set computes its hash using hash(x) of each item. Same > question. The hash of the Set should most certainly use the element's tp_hash. That *is* the hash of the objects, and it may collide for strings just fine due to the vulnerability. > If we need to use the secret hash, it should be exposed in Python. It's not secret, just specific. I don't mind it being exposed. However, that would be a new feature, which cannot be added in a security fix or bug fix release. > Which function/method would be used? I suppose that we cannot add > anything to stable releases like 2.7. Right. Nor do I see any need to expose it. It fixes the vulnerability just fine without being exposed. Regards, Martin
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4