Issue #13703: add a way to randomize the hash values of basic types (str, bytes, datetime)

in order to make algorithmic complexity attacks on (e.g.) web apps much more complicated. The environment variable PYTHONHASHSEED and the new command line flag -R control this behavior.
2025-12-04 00:30:19 +00:00 · 2012-02-20 19:54:16 +01:00 · 2012-02-20 19:54:16 +01:00 · 2daf6ae249
commit 2daf6ae249
parent ec1712a166
32 changed files with 660 additions and 152 deletions
--- a/Lib/test/test_cmd_line.py
+++ b/Lib/test/test_cmd_line.py
@ -4,7 +4,6 @@

 import os
 import test.support, unittest
-import os
 import sys
 import subprocess

@ -190,6 +189,22 @@ sys.stdout.buffer.write(path)"""
            self.assertTrue(path1.encode('ascii') in stdout)
            self.assertTrue(path2.encode('ascii') in stdout)

+    def test_hash_randomization(self):
+        # Verify that -R enables hash randomization:
+        self.verify_valid_flag('-R')
+        hashes = []
+        for i in range(2):
+            code = 'print(hash("spam"))'
+            data, rc = self.start_python_and_exit_code('-R', '-c', code)
+            self.assertEqual(rc, 0)
+            hashes.append(data)
+        self.assertNotEqual(hashes[0], hashes[1])
+
+        # Verify that sys.flags contains hash_randomization
+        code = 'import sys; print("random is", sys.flags.hash_randomization)'
+        data, rc = self.start_python_and_exit_code('-R', '-c', code)
+        self.assertEqual(rc, 0)
+        self.assertIn(b'random is 1', data)

 def test_main():
    test.support.run_unittest(CmdLineTest)