- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types. Patch by David Malcolm, based on work by Victor Stinner.

commit: 1e13eb084f72d5993cbb726e45b36bdb69c83a24 [log] [tgz]
author: Barry Warsaw <barry@python.org> Mon Feb 20 20:42:21 2012 -0500
committer: Barry Warsaw <barry@python.org> Mon Feb 20 20:42:21 2012 -0500
tree: 1db691c15c5980a870bcc2606a6d2afc77e28bad
parent: f5a5beb33985b4b55480de267084b90d89a5c5c4 [diff] [blame]
diff --git a/Objects/stringobject.c b/Objects/stringobject.c
index e37b579..9e2673d 100644
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c

@@ -1212,11 +1212,21 @@
     if (a->ob_shash != -1)
         return a->ob_shash;
     len = Py_SIZE(a);
+    /*
+      We make the hash of the empty string be 0, rather than using
+      (prefix ^ suffix), since this slightly obfuscates the hash secret
+    */
+    if (len == 0) {
+        a->ob_shash = 0;
+        return 0;
+    }
     p = (unsigned char *) a->ob_sval;
-    x = *p << 7;
+    x = _Py_HashSecret.prefix;
+    x ^= *p << 7;
     while (--len >= 0)
         x = (1000003*x) ^ *p++;
     x ^= Py_SIZE(a);
+    x ^= _Py_HashSecret.suffix;
     if (x == -1)
         x = -2;
     a->ob_shash = x;
commit	1e13eb084f72d5993cbb726e45b36bdb69c83a24	[log] [tgz]
author	Barry Warsaw <barry@python.org>	Mon Feb 20 20:42:21 2012 -0500
committer	Barry Warsaw <barry@python.org>	Mon Feb 20 20:42:21 2012 -0500
tree	1db691c15c5980a870bcc2606a6d2afc77e28bad
parent	f5a5beb33985b4b55480de267084b90d89a5c5c4 [diff] [blame]