Issue 26122: Isolated mode doesn't ignore PYTHONHASHSEED

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title> Issue 26122: Isolated mode doesn't ignore PYTHONHASHSEED - Python tracker </title> <link rel="shortcut icon" href="@@file/favicon.ico" /> <link rel="stylesheet" type="text/css" href="@@file/main.css" /> <link rel="stylesheet" type="text/css" href="@@file/style.css" /> <link rel="search" type="application/opensearchdescription+xml" href="@@file/osd.xml" title="Python bug tracker search" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <script nonce="fb1deade06364fafde31dd3580a2d07fa26c4cee0e9e76cce9e4717c09a07b53" type="text/javascript"> submitted = false; function submit_once() { if (submitted) { alert("Your request is being processed.\nPlease be patient."); return false; } submitted = true; return true; } function help_window(helpurl, width, height) { HelpWin = window.open('https://bugs.python.org/' + helpurl, 'RoundupHelpWindow', 'scrollbars=yes,resizable=yes,toolbar=no,height='+height+',width='+width); HelpWin.focus () } </script> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.15/jquery-ui.js"></script> <script type="text/javascript" src="@@file/issue.item.js"></script> <link rel="stylesheet" type="text/css" href="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/smoothness/jquery-ui.css" /> </head> <body>  <h1 id="logoheader"> <a accesskey="1" href="." id="logolink"> <img src="@@file/python-logo.gif" alt="homepage" border="0" id="logo" /></a> </h1> <div id="utility-menu">  <div id="searchbox"> <form name="searchform" method="get" action="issue" id="searchform"> <div id="search"> <input type="hidden" name="@columns" value="id,github,activity,title,creator,assignee,status,type" /> <input type="hidden" name="@sort" value="-activity" /> <input type="hidden" name="@filter" value="status" /> <input type="hidden" name="@action" value="searchid" /> <input type="hidden" name="ignore" value="file:content" /> <input class="input-text" id="search-text" name="@search_text" size="10" /> <input type="submit" id="submit" value="search" name="submit" class="input-button" /> <input type="radio" name="status" id="status_notresolved" value="-1,1,3" /> <label for="status_notresolved">open</label> <input type="radio" name="status" checked="checked" id="status_all" value="-1,1,2,3" /> <label for="status_all">all</label> </div> </form> </div> </div> <div id="left-hand-navigation">  <div id="menu"> <ul class="level-one"> <li><a href="https://www.python.org/" title="Go to the Python homepage">Python Home</a></li> <li><a href="https://www.python.org/about/" title="About The Python Language">About</a></li> <li><a href="https://www.python.org/blogs/" title="">News</a></li> <li><a href="https://www.python.org/doc/" title="">Documentation</a></li> <li><a href="https://www.python.org/downloads/" title="">Downloads</a></li> <li><a href="https://www.python.org/community/" title="">Community</a></li> <li><a href="https://www.python.org/psf/" title="Python Software Foundation">Foundation</a></li> <li><a href="https://devguide.python.org/" title="Python Developer's Guide">Developer's Guide</a></li> <li class="selected"><a href="." class="selected" title="Python Issue Tracker">Issue Tracker</a> <ul class="level-two"> <li> <strong>Issues</strong> <ul class="level-three"> <li><a href="issue?@template=search&status=1">Search</a></li> <li><a href="issue?@action=random">Random Issue</a></li> <li> <form method="post" action="issue26122"> <input type="submit" class="form-small" value="Show issue:" /> <input class="form-small" size="4" type="text" name="@number" /> <input type="hidden" name="@type" value="issue" /> <input type="hidden" name="@action" value="show" /> </form> </li> </ul> </li> <li> <strong>Summaries</strong> <ul class="level-three"> <li> <a href="issue?status=1&@sort=-activity&@columns=id%2Cgithub%2Cactivity%2Ctitle%2Ccreator%2Cstatus&@dispname=Issues%20with%20patch&@startwith=0&@group=priority&keywords=2&@action=search&@filter=&@pagesize=50">Issues with patch</a> </li> <li> <a href="issue?status=1&@sort=-activity&@columns=id%2Cgithub%2Cactivity%2Ctitle%2Ccreator%2Cstatus&@dispname=Easy%20issues&@startwith=0&@group=priority&keywords=6&@action=search&@filter=&@pagesize=50">Easy issues</a> </li> <li> <a href="issue?@template=stats">Stats</a> </li> </ul> </li> <li> <strong>User</strong> <form method="post" action="issue26122"> <ul class="level-three"> <li> Login<br /> <input size="10" name="openid_identifier" style="" /><br /> <input size="10" type="password" name="__login_password" /><br /> <input type="hidden" name="@action" value="Login" /> <input type="checkbox" name="remember" id="remember" /> <label for="remember">Remember me?</label><br /> <input class="form-small" type="submit" value="Login" /><br /> <input type="hidden" name="__came_from" value="https://bugs.python.org/issue26122?"> <input type="hidden" name="@sort" value=""/> <input type="hidden" name="@group" value=""/> <input type="hidden" name="@pagesize" value="50"/> <input type="hidden" name="@startwith" value="0"/> </li> <li> </li> <li><a href="user?@template=forgotten">Lost your login?</a></li> </ul> </form> </li> <li> <strong>Administration</strong> <ul class="level-three"> <li> <a href="user?@sort=username">User List</a></li> <li> <a href="user?iscommitter=1&@action=search&@sort=username&@pagesize=300">Committer List</a></li> </ul> </li> <li> <strong>Help</strong> <ul class="level-three"> <li><a href="http://docs.python.org/devguide/triaging.html"> Tracker Documentation</a></li> <li><a href="http://wiki.python.org/moin/TrackerDevelopment"> Tracker Development</a></li> <li><a href="https://github.com/python/psf-infra-meta/issues"> Report Tracker Problem</a></li> </ul> </li> </ul> </li> </ul> </div>  </div>  <div id="content-body"> <div id="body-main"> <div id="content"> <div id="breadcrumb"> Issue26122 </div> <div id="migration-notice"> <div id="migration-images"> <img width="32" src="@@file/python-logo-small.png" /> ➜ <a href="https://github.com/python/cpython/issues"><img width="32" src="@@file/gh-icon.png" /></a> </div> <p>This issue tracker <b>has been migrated to <a href="https://github.com/python/cpython/issues">GitHub</a></b>, and is currently <b>read-only</b>.<br /> For more information, <a title="GitHub FAQs" href="https://devguide.python.org/gh-faq/"> see the GitHub FAQs in the Python's Developer Guide.</a></p> </div> <div> <form method="post" name="itemSynopsis" onsubmit="return submit_once()" enctype="multipart/form-data" action="issue26122"> <div id="gh-issue-link"> <a href="https://github.com/python/cpython/issues/70310"> <img width="32" src="@@file/gh-icon.png" /> <p> <span>This issue has been migrated to GitHub:</span> https://github.com/python/cpython/issues/70310 </p> </a> </div> <fieldset><legend>classification</legend> <table class="form"> <tr> <th class="required"><a href="http://docs.python.org/devguide/triaging.html#title" target="_blank">Title</a>:</th> <td colspan="3"> <span>Isolated mode doesn't ignore PYTHONHASHSEED</span> <input type="hidden" name="title" value="Isolated mode doesn't ignore PYTHONHASHSEED"> </td> </tr> <tr> <th class="required"><a href="http://docs.python.org/devguide/triaging.html#type" target="_blank">Type</a>:</th> <td>behavior</td> <th><a href="http://docs.python.org/devguide/triaging.html#stage" target="_blank">Stage</a>:</th> <td>resolved</td> </tr> <tr> <th><a href="http://docs.python.org/devguide/triaging.html#components" target="_blank">Components</a>:</th> <td>Interpreter Core</td> <th><a href="http://docs.python.org/devguide/triaging.html#versions" target="_blank">Versions</a>:</th> <td>Python 3.8, Python 3.7</td> </tr> </table> </fieldset> <fieldset><legend>process</legend> <table class="form"> <tr> <th><a href="http://docs.python.org/devguide/triaging.html#status" target="_blank">Status</a>:</th> <td>closed</td> <th><a href="http://docs.python.org/devguide/triaging.html#resolution" target="_blank">Resolution</a>:</th> <td>fixed</td> </tr> <tr> <th> <a href="http://docs.python.org/devguide/triaging.html#dependencies" target="_blank">Dependencies</a>: </th> <td> </td> <th><a href="http://docs.python.org/devguide/triaging.html#superseder" target="_blank">Superseder</a>:</th> <td> </td> </tr> <tr> <th> <a href="http://docs.python.org/devguide/triaging.html#assigned-to" target="_blank">Assigned To</a>: </th> <td> </td> <th> <a href="http://docs.python.org/devguide/triaging.html#nosy-list" target="_blank">Nosy List</a>: </th> <td> christian.heimes, ncoghlan, vstinner </td> </tr> <tr> <th> <a href="http://docs.python.org/devguide/triaging.html#priority" target="_blank">Priority</a>: </th> <td>normal</td> <th> <a href="http://docs.python.org/devguide/triaging.html#keywords" target="_blank">Keywords</a>: </th> <td></td> </tr> </table> </fieldset> </form> <p>Created on <strong>2016-01-15 12:48</strong> by <strong>ncoghlan</strong>, last changed <strong>2022-04-11 14:58</strong> by <strong>admin</strong>. This issue is now <strong style="color:#00F; background-color:inherit;">closed</strong>.</p> <table class="messages"> <tr><th colspan="4" class="header">Messages (4)</th></tr> <tr> <th> <a href="#msg258290" id="msg258290">msg258290</a> - <a href="msg258290">(view)</a></th> <th>Author: Alyssa Coghlan (ncoghlan) <span title="Contributor form received">*</span> <img src="@@file/committer.png" title="Python committer" alt="(Python committer)" /></th> <th>Date: 2016-01-15 12:48</th> </tr> <tr> <td colspan="4" class="content"> <pre>While working on the draft <a href="https://www.python.org/dev/peps/pep-0432/">PEP 432</a> implementation, I noticed that -I isn't special cased for early processing the same way that -E is: <a href="https://hg.python.org/cpython/file/tip/Modules/main.c#l265">https://hg.python.org/cpython/file/tip/Modules/main.c#l265</a> This means that when isolated mode is used to turn off environment variable access, PYTHONHASHSEED may still be read while configuring hash randomisation.</pre> </td> </tr> <tr> <th> <a href="#msg342533" id="msg342533">msg342533</a> - <a href="msg342533">(view)</a></th> <th>Author: STINNER Victor (vstinner) <span title="Contributor form received">*</span> <img src="@@file/committer.png" title="Python committer" alt="(Python committer)" /></th> <th>Date: 2019-05-15 02:23</th> </tr> <tr> <td colspan="4" class="content"> <pre>This issue has been fixed in Python 3.8 with my work on refactoring Py_Main(). -E and -I command line options are now parsed, before reading PYTHONHASHSEED, and -I imply -E as expected. Extract of the code: if (config->isolated > 0) { config->user_site_directory = 0; } if (config->use_environment) { err = config_read_env_vars(config); if (_Py_INIT_FAILED(err)) { return err; } } where config_read_env_vars() indirectly reads PYTHONHASHSEED. I'm not sure if the issue is fixed in Python 3.7 or not. The code in Python 3.7 was in a bad state. It's getting better with Python 3.8 :-) Note: the overall refactoring work is related to <a href="https://www.python.org/dev/peps/pep-0432/">PEP 432</a> and <a href="https://www.python.org/dev/peps/pep-0587/">PEP 587</a>.</pre> </td> </tr> <tr> <th> <a href="#msg342553" id="msg342553">msg342553</a> - <a href="msg342553">(view)</a></th> <th>Author: Christian Heimes (christian.heimes) <span title="Contributor form received">*</span> <img src="@@file/committer.png" title="Python committer" alt="(Python committer)" /></th> <th>Date: 2019-05-15 08:38</th> </tr> <tr> <td colspan="4" class="content"> <pre>Is there a way to fix the issue in 3.7 and earlier? We might consider it a security issue.</pre> </td> </tr> <tr> <th> <a href="#msg342919" id="msg342919">msg342919</a> - <a href="msg342919">(view)</a></th> <th>Author: STINNER Victor (vstinner) <span title="Contributor form received">*</span> <img src="@@file/committer.png" title="Python committer" alt="(Python committer)" /></th> <th>Date: 2019-05-20 15:32</th> </tr> <tr> <td colspan="4" class="content"> <pre>> Is there a way to fix the issue in 3.7 and earlier? We might consider it a security issue. Hum, Python 3.7 is fixed as well. At least, in the 3.7 dev branch. Fixed seed: <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} Random seed: <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -I -c 'print(set("abcdefgh"))' {'b', 'e', 'd', 'f', 'g', 'c', 'a', 'h'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -I -c 'print(set("abcdefgh"))' {'d', 'g', 'e', 'b', 'h', 'f', 'a', 'c'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -I -c 'print(set("abcdefgh"))' {'e', 'b', 'g', 'c', 'a', 'h', 'f', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 ./python -I -c 'print(set("abcdefgh"))' {'c', 'd', 'a', 'g', 'f', 'e', 'h', 'b'} -- Python 3.6 has the bug: <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -I -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -I -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -I -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'} <a href="mailto:vstinner@apu">vstinner@apu</a>$ PYTHONHASHSEED=42 python3.6 -I -c 'print(set("abcdefgh"))' {'g', 'e', 'a', 'b', 'c', 'f', 'h', 'd'}</pre> </td> </tr> </table> <table class="history table table-condensed table-striped"><tr><th colspan="4" class="header"> History </th></tr><tr> <th>Date</th> <th>User</th> <th>Action</th> <th>Args</th> </tr> <tr><td>2022-04-11 14:58:26</td><td>admin</td><td>set</td><td>github: 70310</td></tr> <tr><td>2019-05-20 15:32:22</td><td>vstinner</td><td>set</td><td>messages: + <a rel="nofollow" href="msg342919">msg342919</a><br />versions: + Python 3.7</td></tr> <tr><td>2019-05-15 08:38:11</td><td>christian.heimes</td><td>set</td><td>messages: + <a rel="nofollow" href="msg342553">msg342553</a></td></tr> <tr><td>2019-05-15 02:23:01</td><td>vstinner</td><td>set</td><td>status: open -> closed<br />versions: + Python 3.8, - Python 3.5, Python 3.6<br />messages: + <a rel="nofollow" href="msg342533">msg342533</a><br /><br />components: + Interpreter Core<br />resolution: fixed<br />stage: test needed -> resolved</td></tr> <tr><td>2017-05-15 08:50:42</td><td>vstinner</td><td>set</td><td>nosy: + <a rel="nofollow" href="user2377">vstinner</a><br /></td></tr> <tr><td>2016-06-12 11:22:59</td><td>christian.heimes</td><td>set</td><td>assignee: <a ref="nofollow" href="user3108">christian.heimes</a> -> <a rel="nofollow" href="userNone"></a></td></tr> <tr><td>2016-01-15 12:48:14</td><td>ncoghlan</td><td>create</td><td></td></tr> </table> </div> </div>  <div id="footer"> <div id="credits"> Supported by <a href="https://python.org/psf-landing/" title="The Python Software Foundation">The Python Software Foundation</a>, <br> Powered by <a href="http://roundup.sourceforge.net" title="Powered by the Roundup Issue Tracker">Roundup</a> </div>  Copyright © 1990-2022, <a href="http://python.org/psf">Python Software Foundation</a><br /> <a href="http://python.org/about/legal">Legal Statements</a> </div>  </div>  </div>  </body> </html>

CINXE.COM

Issue 26122: Isolated mode doesn't ignore PYTHONHASHSEED - Python tracker