diff options
| author | Jarkko Hietaniemi <jhi@iki.fi> | 2003-06-26 05:32:02 +0000 |
|---|---|---|
| committer | Jarkko Hietaniemi <jhi@iki.fi> | 2003-06-26 05:32:02 +0000 |
| commit | 504f80c1f3625809f472c1ce21089fdae860d9fd (patch) | |
| tree | cfeaae7da4b08f0f27798122ecbf4f1efba3b8cb /INSTALL | |
| parent | 14180c03bf5269934b197b82e34fd4696ad1053d (diff) | |
| download | perl-504f80c1f3625809f472c1ce21089fdae860d9fd.tar.gz | |
Bite the bullet and apply the hash randomisation patch.
[perl #22371] Algorimic Complexity Attack on Perl 5.6.1, 5.8.0
p4raw-id: //depot/perl@19854
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 30 |
1 files changed, 30 insertions, 0 deletions
@@ -836,6 +836,36 @@ Configure should detect this problem and warn you about problems with _exit vs. exit. If you have this problem, the fix is to go back to your sfio sources and correct iffe's guess about atexit. +=head2 Algorithmic Complexity Attacks on Hashes + +In Perls 5.8.0 and earlier it was easy to create degenerate hashes. +Processing such hashes would consume large amounts of CPU time, +causing a "Denial of Service" attack against Perl. Such hashes may be +a problem for example for mod_perl sites, sites with Perl CGI scripts +and web services, that process data originating from external sources. + +In Perl 5.8.1 a security feature was introduced to make it harder +to create such degenerate hashes. + +Because of this feature the keys(), values(), and each() functions +will return the hash elements in different order between different +runs of Perl even with the same data. One can still revert to the old +predictable order by setting the environment variable PERL_HASH_SEED, +see L<perlrun>. Another option is to add -DUSE_HASH_SEED_EXPLICIT to +the compilation flags, in which case one has to explicitly set the +PERL_HASH_SEED environment variable to enable the security feature, +or -DNO_HASH_SEED to completely disable the feature. + +B<Perl does not guarantee any ordering of the hash keys>, and the +ordering has already changed several times during the lifetime of +Perl 5. Also, the ordering of hash keys already (in Perl 5.8.0 and +earlier) depends on the insertion order. + +Note that because of this randomisation for example the Data::Dumper +results will be different between different runs of Perl since +Data::Dumper by default dumps hashes "unordered". The use of the +Data::Dumper C<Sortkeys> filter is recommended. + =head2 SOCKS Perl can be configured to be 'socksified', that is, to use the SOCKS |