Chris Angelico, 24.01.2012 05:47: > Lua and Pike both quite happily solved hash collision attacks in their > interning of strings by randomizing the hash used, because there's no > way to rely on it. Presumably (based on the intern() docs) Python can > do the same, if you explicitly intern your strings first. Is it worth > recommending that people do this with anything that is > client-provided, and then simply randomize the intern() hash?
If you want to encourage them to fill up their memory with user provided data in a non-erasable way, then sure, that would certainly keep an attacker from having to figure out hash collisions in order to bring down a system. Sending *any* arbitrarily varied data would be enough then. Stefan -- http://mail.python.org/mailman/listinfo/python-list
