From: Jarkko Hietaniemi <jhi@iki.fi>
Date: Tue, 9 Sep 2003 11:55:33 +0000 (+0000)
Subject: Warn more about disclosing the hash seed, from Scott A. Crosby.
X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=26a2d34763c26e0d624a4f2227cb0f7da1812632;p=p5sagit%2Fp5-mst-13.2.git

Warn more about disclosing the hash seed, from Scott A. Crosby.

p4raw-id: //depot/perl@21139
---

diff --git a/lib/Hash/Util.pm b/lib/Hash/Util.pm
index 8e8c952..c5d3059 100644
--- a/lib/Hash/Util.pm
+++ b/lib/Hash/Util.pm
@@ -187,6 +187,12 @@ hash_seed() returns the seed number used to randomise hash ordering.
 Zero means the "traditional" random hash ordering, non-zero means the
 new even more random hash ordering introduced in Perl 5.8.1.
 
+B<Note that the hash seed is sensitive information>: by knowing it one
+can craft a denial-of-service attack against Perl code, even remotely,
+see L<perlsec/"Algorithmic Complexity Attacks"> for more information.
+B<Do not disclose the hash seed> to people who don't need to know it.
+See also L<perlrun/PERL_HASH_SEED_DEBUG>.
+
 =cut
 
 sub hash_seed () {
diff --git a/pod/perlrun.pod b/pod/perlrun.pod
index 7f32e94..81d4749 100644
--- a/pod/perlrun.pod
+++ b/pod/perlrun.pod
@@ -1139,16 +1139,24 @@ the pseudorandom seed supplied by the operating system and libraries.
 This means that each different run of Perl will have a different
 ordering of the results of keys(), values(), and each().
 
-See L<perlsec/"Algorithmic Complexity Attacks"> for more information,
-and also L</PERL_HASH_SEED_DEBUG>.
+B<Please note that the hash seed is sensitive information>. Hashes are
+randomized to protect against local and remote attacks against Perl
+code. By manually setting a seed this protection may be partially or
+completely lost.
+
+See L<perlsec/"Algorithmic Complexity Attacks"> and
+L</PERL_HASH_SEED_DEBUG> for more information.
 
 =item PERL_HASH_SEED_DEBUG
 
 (Since Perl 5.8.1.)  Set to one to display (to STDERR) the value of
-the hash seed at the beginning of execution.  B<Note that the hash
-seed is sensitive information>: by knowing it one can craft a
-denial-of-service attack against Perl code, even remotely, see
-L<perlsec/"Algorithmic Complexity Attacks"> for more information.
+the hash seed at the beginning of execution.  This, combined with
+L</PERL_HASH_SEED> is intended to aid in debugging nondeterministic
+behavior caused by hash randomization.
+
+B<Note that the hash seed is sensitive information>: by knowing it one
+can craft a denial-of-service attack against Perl code, even remotely,
+see L<perlsec/"Algorithmic Complexity Attacks"> for more information.
 B<Do not disclose the hash seed> to people who don't need to know it.
 See also hash_seed() of L<Hash::Util>.