I finished my patch transforming hash(str) to a randomized hash function, see random-8.patch attached to the issue: http://bugs.python.org/issue13703
The remaining question is which random number generator should be used on Windows to initialize the hash secret (CryptoGen adds an overhead of 10%, at least when the DLL is loaded dynamically), read the issue for the details. I plan to commit my fix to Python 3.3 if it is accepted. Then write a simplified version to Python 3.2 and backport it to 3.1. Then backport the simplified fix to 2.7, and finally to 2.6. The vulnerability is public since one month, it is maybe time to fix it before it is widely exploited. Victor _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
