- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types. Patch by David Malcolm, based on work by Victor Stinner.

commit: 1e13eb084f72d5993cbb726e45b36bdb69c83a24 [log] [tgz]
author: Barry Warsaw <barry@python.org> Mon Feb 20 20:42:21 2012 -0500
committer: Barry Warsaw <barry@python.org> Mon Feb 20 20:42:21 2012 -0500
tree: 1db691c15c5980a870bcc2606a6d2afc77e28bad
parent: f5a5beb33985b4b55480de267084b90d89a5c5c4 [diff] [blame]
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index d8dab67..2f80e59 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c

@@ -6695,11 +6695,21 @@
     if (self->hash != -1)
         return self->hash;
     len = PyUnicode_GET_SIZE(self);
+    /*
+      We make the hash of the empty string be 0, rather than using
+      (prefix ^ suffix), since this slightly obfuscates the hash secret
+    */
+    if (len == 0) {
+        self->hash = 0;
+        return 0;
+    }
     p = PyUnicode_AS_UNICODE(self);
-    x = *p << 7;
+    x = _Py_HashSecret.prefix;
+    x ^= *p << 7;
     while (--len >= 0)
         x = (1000003*x) ^ *p++;
     x ^= PyUnicode_GET_SIZE(self);
+    x ^= _Py_HashSecret.suffix;
     if (x == -1)
         x = -2;
     self->hash = x;
commit	1e13eb084f72d5993cbb726e45b36bdb69c83a24	[log] [tgz]
author	Barry Warsaw <barry@python.org>	Mon Feb 20 20:42:21 2012 -0500
committer	Barry Warsaw <barry@python.org>	Mon Feb 20 20:42:21 2012 -0500
tree	1db691c15c5980a870bcc2606a6d2afc77e28bad
parent	f5a5beb33985b4b55480de267084b90d89a5c5c4 [diff] [blame]