From 9a77171ccc2838c2fd7b666ed9ee9c7ba8ebd488 Mon Sep 17 00:00:00 2001 From: Giuseppe D'Angelo Date: Sat, 24 Mar 2012 08:50:02 +0000 Subject: QHash security fix (1.5/2): qHash two arguments overload support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Algorithmic complexity attacks against hash tables have been known since 2003 (cf. [1, 2]), and they have been left unpatched for years until the 2011 attacks [3] against many libraries / (reference) implementations of programming languages. This patch adds a qHash overload taking two arguments: the value to be hashed, and a uint to be used as a seed for the hash function itself (support the global QHash seed was added in a previous patch). The seed itself is not used just yet; instead, 0 is passed. Compatibility with the one-argument qHash(T) implementation is kept through a catch-all template. [1] http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec2003.pdf [2] http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks [3] http://www.ocert.org/advisories/ocert-2011-003.html Task-number: QTBUG-23529 Change-Id: I1d0a84899476d134db455418c8043a349a7e5317 Reviewed-by: João Abecasis --- doc/src/snippets/code/src_corelib_tools_qhash.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc/src') diff --git a/doc/src/snippets/code/src_corelib_tools_qhash.cpp b/doc/src/snippets/code/src_corelib_tools_qhash.cpp index 6595119e40..2fa73bac46 100644 --- a/doc/src/snippets/code/src_corelib_tools_qhash.cpp +++ b/doc/src/snippets/code/src_corelib_tools_qhash.cpp @@ -155,9 +155,9 @@ inline bool operator==(const Employee &e1, const Employee &e2) && e1.dateOfBirth() == e2.dateOfBirth(); } -inline uint qHash(const Employee &key) +inline uint qHash(const Employee &key, uint seed) { - return qHash(key.name()) ^ key.dateOfBirth().day(); + return qHash(key.name(), seed) ^ key.dateOfBirth().day(); } #endif // EMPLOYEE_H -- cgit v1.2.3