- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED

environment variable, to provide an opt-in way to protect against denial of service attacks due to hash collisions within the dict and set types. Patch by David Malcolm, based on work by Victor Stinner.
author: Barry Warsaw <barry@python.org> 2012-02-20 20:42:21 -0500
committer: Barry Warsaw <barry@python.org> 2012-02-20 20:42:21 -0500
commit: 1e13eb084f72d5993cbb726e45b36bdb69c83a24 (patch)
tree: 1db691c15c5980a870bcc2606a6d2afc77e28bad /Objects/unicodeobject.c
parent: f5a5beb33985b4b55480de267084b90d89a5c5c4 (diff)
download: cpython-git-1e13eb084f72d5993cbb726e45b36bdb69c83a24.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index d8dab672b6..2f80e59b32 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -6695,11 +6695,21 @@ unicode_hash(PyUnicodeObject *self)
     if (self->hash != -1)
         return self->hash;
     len = PyUnicode_GET_SIZE(self);
+    /*
+      We make the hash of the empty string be 0, rather than using
+      (prefix ^ suffix), since this slightly obfuscates the hash secret
+    */
+    if (len == 0) {
+        self->hash = 0;
+        return 0;
+    }
     p = PyUnicode_AS_UNICODE(self);
-    x = *p << 7;
+    x = _Py_HashSecret.prefix;
+    x ^= *p << 7;
     while (--len >= 0)
         x = (1000003*x) ^ *p++;
     x ^= PyUnicode_GET_SIZE(self);
+    x ^= _Py_HashSecret.suffix;
     if (x == -1)
         x = -2;
     self->hash = x;
author	Barry Warsaw <barry@python.org>	2012-02-20 20:42:21 -0500
committer	Barry Warsaw <barry@python.org>	2012-02-20 20:42:21 -0500
commit	1e13eb084f72d5993cbb726e45b36bdb69c83a24 (patch)
tree	1db691c15c5980a870bcc2606a6d2afc77e28bad /Objects/unicodeobject.c
parent	f5a5beb33985b4b55480de267084b90d89a5c5c4 (diff)
download	cpython-git-1e13eb084f72d5993cbb726e45b36bdb69c83a24.tar.gz