Issue #13703: add a way to randomize the hash values of basic types (str, bytes, datetime)

in order to make algorithmic complexity attacks on (e.g.) web apps much more complicated. The environment variable PYTHONHASHSEED and the new command line flag -R control this behavior.
author: Georg Brandl <georg@python.org> 2012-02-20 18:54:16 (GMT)
committer: Georg Brandl <georg@python.org> 2012-02-20 18:54:16 (GMT)
commit: 2daf6ae2495c862adf8bc717bfe9964081ea0b10 (patch)
tree: ebd7efe668e4f7842c6d51bdbde47b00f92a57db /Misc/NEWS
parent: ec1712a1662282c909b4cd4cc0c7486646bc9246 (diff)
download: cpython-2daf6ae2495c862adf8bc717bfe9964081ea0b10.zip
cpython-2daf6ae2495c862adf8bc717bfe9964081ea0b10.tar.gz
cpython-2daf6ae2495c862adf8bc717bfe9964081ea0b10.tar.bz2
1 files changed, 5 insertions, 0 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index 6e95697..486da13 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,11 @@ What's New in Python 3.1.5?
 Core and Builtins
 -----------------
 
+- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED
+  environment variables, to provide an opt-in way to protect against denial of
+  service attacks due to hash collisions within the dict and set types.  Patch
+  by David Malcolm, based on work by Victor Stinner.
+
 Library
 -------
author	Georg Brandl <georg@python.org>	2012-02-20 18:54:16 (GMT)
committer	Georg Brandl <georg@python.org>	2012-02-20 18:54:16 (GMT)
commit	2daf6ae2495c862adf8bc717bfe9964081ea0b10 (patch)
tree	ebd7efe668e4f7842c6d51bdbde47b00f92a57db /Misc/NEWS
parent	ec1712a1662282c909b4cd4cc0c7486646bc9246 (diff)
download	cpython-2daf6ae2495c862adf8bc717bfe9964081ea0b10.zip cpython-2daf6ae2495c862adf8bc717bfe9964081ea0b10.tar.gz cpython-2daf6ae2495c862adf8bc717bfe9964081ea0b10.tar.bz2