diff options
author | Georg Brandl <georg@python.org> | 2012-02-20 23:33:36 (GMT) |
---|---|---|
committer | Georg Brandl <georg@python.org> | 2012-02-20 23:33:36 (GMT) |
commit | 2fb477c0f0284439d40cb3f46eea45ef42446e53 (patch) | |
tree | c8df3747d511256d56ca4af046db7915b5c06096 /Misc | |
parent | b5c793a0b349cb02003433c30a410595b224079f (diff) | |
parent | 9edceb3e591063f382ae82e14313813ffc1af0bf (diff) | |
download | cpython-2fb477c0f0284439d40cb3f46eea45ef42446e53.zip cpython-2fb477c0f0284439d40cb3f46eea45ef42446e53.tar.gz cpython-2fb477c0f0284439d40cb3f46eea45ef42446e53.tar.bz2 |
Merge 3.2: Issue #13703 plus some related test suite fixes.
Diffstat (limited to 'Misc')
-rw-r--r-- | Misc/NEWS | 5 | ||||
-rw-r--r-- | Misc/python.man | 29 |
2 files changed, 34 insertions, 0 deletions
@@ -16,6 +16,11 @@ Core and Builtins - Issue #14051: Allow arbitrary attributes to be set of classmethod and staticmethod. +- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED + environment variable, to provide an opt-in way to protect against denial of + service attacks due to hash collisions within the dict and set types. Patch + by David Malcolm, based on work by Victor Stinner. + - Issue #13020: Fix a reference leak when allocating a structsequence object fails. Patch by Suman Saha. diff --git a/Misc/python.man b/Misc/python.man index eaa3ec7..ef42c4e 100644 --- a/Misc/python.man +++ b/Misc/python.man @@ -37,6 +37,9 @@ python \- an interpreted, interactive, object-oriented programming language .B \-OO ] [ +.B \-R +] +[ .B \-s ] [ @@ -148,6 +151,18 @@ Discard docstrings in addition to the \fB-O\fP optimizations. Do not print the version and copyright messages. These messages are also suppressed in non-interactive mode. .TP +.B \-R +Turn on "hash randomization", so that the hash() values of str, bytes and +datetime objects are "salted" with an unpredictable pseudo-random value. +Although they remain constant within an individual Python process, they are +not predictable between repeated invocations of Python. +.IP +This is intended to provide protection against a denial of service +caused by carefully-chosen inputs that exploit the worst case performance +of a dict insertion, O(n^2) complexity. See +http://www.ocert.org/advisories/ocert-2011-003.html +for details. +.TP .B \-s Don't add user site directory to sys.path. .TP @@ -402,6 +417,20 @@ specifying \fB\-v\fP multiple times. .IP PYTHONWARNINGS If this is set to a comma-separated string it is equivalent to specifying the \fB\-W\fP option for each separate value. +.IP PYTHONHASHSEED +If this variable is set to "random", the effect is the same as specifying +the \fB-R\fP option: a random value is used to seed the hashes of str, +bytes and datetime objects. + +If PYTHONHASHSEED is set to an integer value, it is used as a fixed seed for +generating the hash() of the types covered by the hash randomization. Its +purpose is to allow repeatable hashing, such as for selftests for the +interpreter itself, or to allow a cluster of python processes to share hash +values. + +The integer must be a decimal number in the range [0,4294967295]. Specifying +the value 0 will lead to the same hash values as when hash randomization is +disabled. .SH AUTHOR The Python Software Foundation: http://www.python.org/psf .SH INTERNET RESOURCES |