Prevent Hash DoS in python

open source projects

$ export PYTHONHASHSEED=random Makes hashes of types unpredictable across #python invocations, making your app more secure to DOS attacks.

— Anand B Pillai (@pythonhacker) September 5, 2013

Denial of Service through hash table multi-collisions or Hash DoS has been first reported in 28-Dec-2011 [1].

Python and Ruby are partially vulnerable, depending on version or whether the server running the code is a 32 bit or 64 bit machine. Python 2 by default does not provide random value for PYTHONHASHSEED [2] though it’s behaviour is changed in python 3 [3] which means it has random as it default value.

References

[1]	https://web.archive.org/web/20140606214923/https://www.nruns.com/_downloads/advisory28122011.pdf

[2]	http://docs.python.org/2/using/cmdline.html#envvar-PYTHONHASHSEED

[3]	http://docs.python.org/3/using/cmdline.html#envvar-PYTHONHASHSEED

Saurabh Kumar

Hash in python Prevent