[Python-checkins] cpython: enable hash randomization by default

Tue Feb 21 22:08:11 CET 2012

http://hg.python.org/cpython/rev/198e31774f0f
changeset: 75152:198e31774f0f
parent: 75146:75990a013d4d
user: Benjamin Peterson <benjamin at python.org>
date: Tue Feb 21 16:08:05 2012 -0500
summary:
 enable hash randomization by default
files:
 Doc/reference/datamodel.rst | 24 +++++++++++++++++++++++-
 Doc/using/cmdline.rst | 10 ++++------
 Lib/test/test_cmd_line.py | 4 ++--
 Lib/test/test_hash.py | 4 ++--
 Misc/NEWS | 7 +++----
 Misc/python.man | 23 +++--------------------
 Modules/main.c | 25 +++++++------------------
 Python/random.c | 11 -----------
 Tools/scripts/run_tests.py | 1 -
 9 files changed, 44 insertions(+), 65 deletions(-)

diff --git a/Doc/reference/datamodel.rst b/Doc/reference/datamodel.rst
--- a/Doc/reference/datamodel.rst
+++ b/Doc/reference/datamodel.rst
@@ -1277,7 +1277,29 @@
 inheritance of :meth:`__hash__` will be blocked, just as if :attr:`__hash__`
 had been explicitly set to :const:`None`.
 
- See also the :option:`-R` command-line option.
+
+ .. note::
+
+ Note by default the :meth:`__hash__` values of str, bytes and datetime
+ objects are "salted" with an unpredictable random value. Although they
+ remain constant within an individual Python process, they are not
+ predictable between repeated invocations of Python.
+
+ This is intended to provide protection against a denial-of-service caused
+ by carefully-chosen inputs that exploit the worst case performance of a
+ dict insertion, O(n^2) complexity. See
+ http://www.ocert.org/advisories/ocert-2011-003.html for details.
+
+ Changing hash values affects the order in which keys are retrieved from a
+ dict. Although Python has never made guarantees about this ordering (and
+ it typically varies between 32-bit and 64-bit builds), enough real-world
+ code implicitly relies on this non-guaranteed behavior that the
+ randomization is disabled by default.
+
+ See also :envvar:`PYTHONHASHSEED`.
+
+ .. versionchanged:: 3.3
+ Hash randomization is enabled by default.
 
 
 .. method:: object.__bool__(self)
diff --git a/Doc/using/cmdline.rst b/Doc/using/cmdline.rst
--- a/Doc/using/cmdline.rst
+++ b/Doc/using/cmdline.rst
@@ -24,7 +24,7 @@
 
 When invoking Python, you may specify any of these options::
 
- python [-bBdEhiORqsSuvVWx?] [-c command | -m module-name | script | - ] [args]
+ python [-bBdEhiOqsSuvVWx?] [-c command | -m module-name | script | - ] [args]
 
 The most common use case is, of course, a simple invocation of a script::
 
@@ -486,9 +486,8 @@
 
 .. envvar:: PYTHONHASHSEED
 
- If this variable is set to ``random``, the effect is the same as specifying
- the :option:`-R` option: a random value is used to seed the hashes of str,
- bytes and datetime objects.
+ If this variable is set to ``random``, a random value is used to seed the
+ hashes of str, bytes and datetime objects.
 
 If :envvar:`PYTHONHASHSEED` is set to an integer value, it is used as a fixed
 seed for generating the hash() of the types covered by the hash
@@ -499,8 +498,7 @@
 values.
 
 The integer must be a decimal number in the range [0,4294967295]. Specifying
- the value 0 will lead to the same hash values as when hash randomization is
- disabled.
+ the value 0 will disable hash randomization.
 
 .. versionadded:: 3.2.3
 
diff --git a/Lib/test/test_cmd_line.py b/Lib/test/test_cmd_line.py
--- a/Lib/test/test_cmd_line.py
+++ b/Lib/test/test_cmd_line.py
@@ -330,14 +330,14 @@
 hashes = []
 for i in range(2):
 code = 'print(hash("spam"))'
- rc, out, err = assert_python_ok('-R', '-c', code)
+ rc, out, err = assert_python_ok('-c', code)
 self.assertEqual(rc, 0)
 hashes.append(out)
 self.assertNotEqual(hashes[0], hashes[1])
 
 # Verify that sys.flags contains hash_randomization
 code = 'import sys; print("random is", sys.flags.hash_randomization)'
- rc, out, err = assert_python_ok('-R', '-c', code)
+ rc, out, err = assert_python_ok('-c', code)
 self.assertEqual(rc, 0)
 self.assertIn(b'random is 1', out)
 
diff --git a/Lib/test/test_hash.py b/Lib/test/test_hash.py
--- a/Lib/test/test_hash.py
+++ b/Lib/test/test_hash.py
@@ -159,8 +159,8 @@
 else:
 known_hash_of_obj = -1600925533
 
- # Randomization is disabled by default:
- self.assertEqual(self.get_hash(self.repr_), known_hash_of_obj)
+ # Randomization is enabled by default:
+ self.assertNotEqual(self.get_hash(self.repr_), known_hash_of_obj)
 
 # It can also be disabled by setting the seed to 0:
 self.assertEqual(self.get_hash(self.repr_, seed=0), known_hash_of_obj)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -18,10 +18,9 @@
 - Issue #14051: Allow arbitrary attributes to be set of classmethod and
 staticmethod.
 
-- Issue #13703: oCERT-2011-003: add -R command-line option and PYTHONHASHSEED
- environment variable, to provide an opt-in way to protect against denial of
- service attacks due to hash collisions within the dict and set types. Patch
- by David Malcolm, based on work by Victor Stinner.
+- Issue #13703: oCERT-2011-003: Randomize hashes of str and bytes to protect
+ against denial of service attacks due to hash collisions within the dict and
+ set types. Patch by David Malcolm, based on work by Victor Stinner.
 
 - Issue #13020: Fix a reference leak when allocating a structsequence object
 fails. Patch by Suman Saha.
diff --git a/Misc/python.man b/Misc/python.man
--- a/Misc/python.man
+++ b/Misc/python.man
@@ -37,9 +37,6 @@
 .B \-OO
 ]
 [
-.B \-R
-]
-[
 .B \-s
 ]
 [
@@ -151,18 +148,6 @@
 Do not print the version and copyright messages. These messages are 
 also suppressed in non-interactive mode.
 .TP
-.B \-R
-Turn on "hash randomization", so that the hash() values of str, bytes and
-datetime objects are "salted" with an unpredictable pseudo-random value.
-Although they remain constant within an individual Python process, they are
-not predictable between repeated invocations of Python.
-.IP
-This is intended to provide protection against a denial of service
-caused by carefully-chosen inputs that exploit the worst case performance
-of a dict insertion, O(n^2) complexity. See
-http://www.ocert.org/advisories/ocert-2011-003.html
-for details.
-.TP
 .B \-s
 Don't add user site directory to sys.path.
 .TP
@@ -418,9 +403,8 @@
 If this is set to a comma-separated string it is equivalent to
 specifying the \fB\-W\fP option for each separate value.
 .IP PYTHONHASHSEED
-If this variable is set to "random", the effect is the same as specifying
-the \fB-R\fP option: a random value is used to seed the hashes of str,
-bytes and datetime objects.
+If this variable is set to "random", a random value is used to seed the hashes
+of str, bytes and datetime objects.
 
 If PYTHONHASHSEED is set to an integer value, it is used as a fixed seed for
 generating the hash() of the types covered by the hash randomization. Its
@@ -429,8 +413,7 @@
 values.
 
 The integer must be a decimal number in the range [0,4294967295]. Specifying
-the value 0 will lead to the same hash values as when hash randomization is
-disabled.
+the value 0 will disable hash randomization.
 .SH AUTHOR
 The Python Software Foundation: http://www.python.org/psf
 .SH INTERNET RESOURCES
diff --git a/Modules/main.c b/Modules/main.c
--- a/Modules/main.c
+++ b/Modules/main.c
@@ -73,9 +73,6 @@
 -O : optimize generated bytecode slightly; also PYTHONOPTIMIZE=x\n\
 -OO : remove doc-strings in addition to the -O optimizations\n\
 -q : don't print version and copyright messages on interactive startup\n\
--R : use a pseudo-random salt to make hash() values of various types be\n\
- unpredictable between separate invocations of the interpreter, as\n\
- a defence against denial-of-service attacks\n\
 -s : don't add user site directory to sys.path; also PYTHONNOUSERSITE\n\
 -S : don't imply 'import site' on initialization\n\
 ";
@@ -107,10 +104,10 @@
 "PYTHONFAULTHANDLER: dump the Python traceback on fatal errors.\n\
 ";
 static char *usage_6 = "\
-PYTHONHASHSEED: if this variable is set to ``random``, the effect is the same \n\
- as specifying the :option:`-R` option: a random value is used to seed the\n\
- hashes of str, bytes and datetime objects. It can also be set to an integer\n\
- in the range [0,4294967295] to get hash values with a predictable seed.\n\
+PYTHONHASHSEED: if this variable is set to ``random``, a random value is used\n\
+ to seed the hashes of str, bytes and datetime objects. It can also be\n\
+ set to an integer in the range [0,4294967295] to get hash values with a\n\
+ predictable seed.\n\
 ";
 
 static int
@@ -347,21 +344,13 @@
 not interpreter options. */
 break;
 }
- switch (c) {
- case 'E':
+ if (c == 'E') {
 Py_IgnoreEnvironmentFlag++;
 break;
- case 'R':
- Py_HashRandomizationFlag++;
- break;
 }
 }
- /* The variable is only tested for existence here; _PyRandom_Init will
- check its value further. */
- if (!Py_HashRandomizationFlag &&
- (p = Py_GETENV("PYTHONHASHSEED")) && *p != '0円')
- Py_HashRandomizationFlag = 1;
 
+ Py_HashRandomizationFlag = 1;
 _PyRandom_Init();
 
 PySys_ResetWarnOptions();
@@ -468,7 +457,7 @@
 break;
 
 case 'R':
- /* Already handled above */
+ /* Ignored */
 break;
 
 /* This space reserved for other options */
diff --git a/Python/random.c b/Python/random.c
--- a/Python/random.c
+++ b/Python/random.c
@@ -257,17 +257,6 @@
 _Py_HashSecret_Initialized = 1;
 
 /*
- By default, hash randomization is disabled, and only
- enabled if PYTHONHASHSEED is set to non-empty or if
- "-R" is provided at the command line:
- */
- if (!Py_HashRandomizationFlag) {
- /* Disable the randomized hash: */
- memset(secret, 0, secret_size);
- return;
- }
-
- /*
 Hash randomization is enabled. Generate a per-process secret,
 using PYTHONHASHSEED if provided.
 */
diff --git a/Tools/scripts/run_tests.py b/Tools/scripts/run_tests.py
--- a/Tools/scripts/run_tests.py
+++ b/Tools/scripts/run_tests.py
@@ -25,7 +25,6 @@
 '-W', 'default', # Warnings set to 'default'
 '-bb', # Warnings about bytes/bytearray
 '-E', # Ignore environment variables
- '-R', # Randomize hashing
 ]
 # Allow user-specified interpreter options to override our defaults.
 args.extend(test.support.args_from_interpreter_flags())
-- 
Repository URL: http://hg.python.org/cpython
