Thanks, I filed http://bugs.python.org/issue15719 to track this.
On Fri, Aug 17, 2012 at 12:50 PM, "Martin v. Löwis" <mar...@v.loewis.de> wrote: > On 17.08.2012 21:27, Guido van Rossum wrote: >> query = sorted(query.items()) >> >> This would not prevent breakage of unit tests, but it would make a >> much simpler fix possible: simply sort the parameters in the URL. >> >> Thoughts? > > Sounds good. For best backwards compatibility, I'd restrict the sorting > to the exact dict type, since people may be using non-dict mappings > which already have a different stable order. > >> for all versions of Python that support PYTHONHASHSEED? > > I think this cannot be done, in particular not for 2.6 and 3.1 - it's > not a security fix (*). > > Strictly speaking, it isn't even a bug fix, since it doesn't restore > the original behavior that some people (like your test case) relied > on. In particular, if somebody has fixed PYTHONHASHSEED to get a stable > order, this change would break such installations. By that policy, it > could only go into 3.4. > > OTOH, if it also checked whether there is randomized hashing, and sort > only in that case, I think it should be backwards compatible in all > interesting cases. > > Regards, > Martin > > (*) I guess some may claim that the current implementation leaks > some bits of the hash seed, since you can learn the seed from > the parameter order, so sorting would make it more secure. However, > I would disagree that this constitutes a feasible threat. -- --Guido van Rossum (python.org/~guido) _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com