On 17.08.2012 21:27, Guido van Rossum wrote:
>         query = sorted(query.items())
>
> This would not prevent breakage of unit tests, but it would make a
> much simpler fix possible: simply sort the parameters in the URL.
>
> Thoughts?

Sounds good. For best backwards compatibility, I'd restrict the sorting
to the exact dict type, since people may be using non-dict mappings
which already have a different stable order.

> for all versions of Python that support PYTHONHASHSEED?

I think this cannot be done, in particular not for 2.6 and 3.1 - it's
not a security fix (*).

Strictly speaking, it isn't even a bug fix, since it doesn't restore
the original behavior that some people (like your test case) relied
on. In particular, if somebody has fixed PYTHONHASHSEED to get a stable
order, this change would break such installations. By that policy, it
could only go into 3.4.

OTOH, if it also checked whether there is randomized hashing, and sort
only in that case, I think it should be backwards compatible in all
interesting cases.

Regards,
Martin

(*) I guess some may claim that the current implementation leaks
some bits of the hash seed, since you can learn the seed from
the parameter order, so sorting would make it more secure. However,
I would disagree that this constitutes a feasible threat.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to