This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients bjarvis, christian.heimes, rhettinger, vstinner
Date 2017-11-30.14:21:34
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1512051694.55.0.213398074469.issue32175@psf.upfronthosting.co.za>
In-reply-to
Content 
It was decided to leave the hash randomization disabled by default for backward compatibility. It's a deliberate choice.

I don't think that we need to go further for Python 2.7. I never considered this denial of service attach as major, there are many other ways to trigger a DoS, and fixing the dict type is not the right way to prevent this class of attacks.

HTTP clients and frameworks like http.client and Django implemented other countermeasures like limiting the number of HTTP headers.

The problem was correctly fixed in Python 3: randomization enabled by default since Python 3.3, and Python 3.4 now uses SipHash which better hides the hash secret.

More info at:
* http://python-security.readthedocs.io/vuln/cve-2012-1150_hash_dos.html
* http://python-security.readthedocs.io/vuln/cve-2013-7040_hash_not_properly_randomized.html
History
Date User Action Args
2017-11-30 14:21:34vstinnersetrecipients: + vstinner, rhettinger, christian.heimes, bjarvis
2017-11-30 14:21:34vstinnersetmessageid: <1512051694.55.0.213398074469.issue32175@psf.upfronthosting.co.za>
2017-11-30 14:21:34vstinnerlinkissue32175 messages
2017-11-30 14:21:34vstinnercreate