Nate ClarkNate Clark
 Standup 9/15/2009: Hashing a String, Nginx Security Patch
edit Posted by Nate Clark on Tuesday September 15, 2009 at 09:13AM

Interesting Things

  • String#hash does not always produce the same hash on different machines and/or different architectures. Don't use the hash of a string across machines to identify it.

  • Nginx has released a security patch to fix a remote execution security vulnerability.

Comments

  1. Stephan Wehner Stephan Wehner on September 15, 2009 at 01:18PM

    Here's the code at revision 24934 ( Tue Sep 15 05:27:29 2009 UTC ); search for "hash".

    http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/string.c?revision=24934&view=markup

    ( It uses "Murmurhash", http://murmurhash.googlepages.com )

    This snippet seems to cause what you are describing:

    st_index_t rb_hash_start(st_index_t h) { static int hashseed_init = 0; static VALUE hashseed;

    if (!hashseed_init) {
    hashseed = rb_genrand_int32();

    if SIZEOF_VALUECHAR_BIT > 48

    hashseed <<= 4*8;
hashseed |= rb_genrand_int32();

    endif

    if SIZEOF_VALUECHAR_BIT > 88

    hashseed <<= 8*8;
hashseed |= rb_genrand_int32();

    endif

    if SIZEOF_VALUECHAR_BIT > 128

    hashseed <<= 12*8;
hashseed |= rb_genrand_int32();

    endif

        hashseed_init = 1;
}

    Not quite sure.

    Stephan

  2. Stephan Wehner Stephan Wehner on September 15, 2009 at 01:20PM

    Sorry, that comment doesn't come out well. I guess I wasn't aware of your blog software's formatting function.

    S