- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types. Patch by David Malcolm, based on work by Victor Stinner.

commit: 1e13eb084f72d5993cbb726e45b36bdb69c83a24 [log] [tgz]
author: Barry Warsaw <barry@python.org> Mon Feb 20 20:42:21 2012 -0500
committer: Barry Warsaw <barry@python.org> Mon Feb 20 20:42:21 2012 -0500
tree: 1db691c15c5980a870bcc2606a6d2afc77e28bad
parent: f5a5beb33985b4b55480de267084b90d89a5c5c4 [diff] [blame]
diff --git a/Objects/bufferobject.c b/Objects/bufferobject.c
index 0f7e763..c52f0bc 100644
--- a/Objects/bufferobject.c
+++ b/Objects/bufferobject.c

@@ -334,10 +334,20 @@
         return -1;
     p = (unsigned char *) ptr;
     len = size;
-    x = *p << 7;
+    /*
+      We make the hash of the empty buffer be 0, rather than using
+      (prefix ^ suffix), since this slightly obfuscates the hash secret
+    */
+    if (len == 0) {
+        self->b_hash = 0;
+        return 0;
+    }
+    x = _Py_HashSecret.prefix;
+    x ^= *p << 7;
     while (--len >= 0)
         x = (1000003*x) ^ *p++;
     x ^= size;
+    x ^= _Py_HashSecret.suffix;
     if (x == -1)
         x = -2;
     self->b_hash = x;
commit	1e13eb084f72d5993cbb726e45b36bdb69c83a24	[log] [tgz]
author	Barry Warsaw <barry@python.org>	Mon Feb 20 20:42:21 2012 -0500
committer	Barry Warsaw <barry@python.org>	Mon Feb 20 20:42:21 2012 -0500
tree	1db691c15c5980a870bcc2606a6d2afc77e28bad
parent	f5a5beb33985b4b55480de267084b90d89a5c5c4 [diff] [blame]