When Perl 5.8.1 came out it added hash randomization. When Perl 5.8.2 came out, I thought, it removed hash randomization unless an environment variable (PERL_HASH_SEED
) was present. It now seems as if I am gravely mistaken as
PERL_HASH_SEED=$SEED perl -MData::Dumper -e 'print Dumper{map{$_,1}"a".."z"}'
Always kicks back the same key ordering regardless of the value of $SEED
.
Did hash randomization go completely away, am I doing something wrong, or is this a bug?
See Algorithmic Complexity Attacks:
In Perl 5.8.1 the hash function is randomly perturbed by a pseudorandom seed which makes generating such naughty hash keys harder. [...] but as of 5.8.2 it is only used on individual hashes if the internals detect the insertion of pathological data.
So randomization doesn't always happen, only when perl detects that it's needed.
At a minimum there have been some sloppy documentation updates. In the third paragraph of perlrun's entry for PERL_HASH_SEED
it says:
The default behaviour is to randomise unless the PERL_HASH_SEED
is set.
which which was true only in 5.8.1 and contradicts the paragraph immediately preceding it:
Most hashes by default return elements in the same order as in Perl 5.8.0. On a hash by hash basis, if pathological data is detected during a hash key insertion, then that hash will switch to an alternative random hash seed.
perlsec's entry for Algorithmic Complexity Attacks gets this right:
In Perl 5.8.1 the random perturbation was done by default, but as of
5.8.2 it is only used on individual hashes if the internals detect the
insertion of pathological data.
perlsec goes on to say
If one wants for some reason emulate the old behaviour [...] set the
environment variable PERL_HASH_SEED
to zero to disable the
protection (or any other integer to force a known perturbation, rather
than random).
[emphasis added]
Since setting PERL_HASH_SEED
does not effect the hash order, I'd call it a bug. Searching for "PERL_HASH_SEED" on rt.perl.org didn't return any results, so it doesn't appear to be a "known" issue.