Issue #13703: add a way to randomize the hash values of basic types (str, bytes, datetime) in order to make algorithmic complexity attacks on (e.g.) web apps much more complicated. The environment variable PYTHONHASHSEED and the new command line flag -R control this behavior.

commit: 2daf6ae2495c862adf8bc717bfe9964081ea0b10 [log] [tgz]
author: Georg Brandl <georg@python.org> Mon Feb 20 19:54:16 2012 +0100
committer: Georg Brandl <georg@python.org> Mon Feb 20 19:54:16 2012 +0100
tree: ebd7efe668e4f7842c6d51bdbde47b00f92a57db
parent: ec1712a1662282c909b4cd4cc0c7486646bc9246 [diff] [blame]
diff --git a/Misc/NEWS b/Misc/NEWS
index 6e95697..486da13 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -10,6 +10,11 @@
 Core and Builtins
 -----------------
 
+- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED
+  environment variables, to provide an opt-in way to protect against denial of
+  service attacks due to hash collisions within the dict and set types.  Patch
+  by David Malcolm, based on work by Victor Stinner.
+
 Library
 -------
commit	2daf6ae2495c862adf8bc717bfe9964081ea0b10	[log] [tgz]
author	Georg Brandl <georg@python.org>	Mon Feb 20 19:54:16 2012 +0100
committer	Georg Brandl <georg@python.org>	Mon Feb 20 19:54:16 2012 +0100
tree	ebd7efe668e4f7842c6d51bdbde47b00f92a57db
parent	ec1712a1662282c909b4cd4cc0c7486646bc9246 [diff] [blame]