Closed cowtowncoder closed 12 years ago
Ok, some learnings:
Some remaining practical alternatives include:
In both cases it is important to note that per-Map seed value should make it impractical to pre-calculate collisions.
With some testing, found out that Adler-32 is not (alas!) a good alternative; number of collisions is surprisingly high.
So: with that, changes to make will be:
NOTE: this does NOT fix potential issue with ObjectNode
; that is covered by another Issue.
On versions: fixes included in upcoming releases:
There have been some attacks (DoS) that make use of collisions in String.hashCode() values (or at least their low-bits collisions). The one place where this matters most is in handling of symbol table: although Jackson actually does not directly use String.hashCode(), internal calculation is along the same lines.
This should be changed by, for example:
Care needs to be taken as this is one of more performance critical paths.