Mark Dickinson <dicki...@gmail.com> added the comment:
> shouldn't numerics, datetime objects, and tuples be non-deterministically > hashed as well? [...] Making the numeric hash non-predictable while maintaining its current properties would be difficult. But fortunately, I don't think it's necessary. IIUC, the original DOS attack involved carefully-crafted collections of keywords and values being passed to a website backend, with that backend then putting those keywords and values into a Python dictionary. I'd expect that there are *way* more places where a dict is being constructed with string keys in this way than with numeric keys. In fact, I think it's reasonable to assume that there are no websites vulnerable to a DOS via *numeric* hash collisions until we see evidence otherwise. FWIW, I'd expect the same to be true for datetime objects; I'm not sure why they were originally included. IANASE, but it seems to me that covering Unicode strings and bytestrings should be enough in practice. ---------- nosy: +mark.dickinson _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue29535> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com