Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes

in the hash table internal to the pyexpat module's copy of the expat library to avoid a denial of service due to hash collisions. Patch by David Malcolm with some modifications by the expat project.

Fixes Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes
in the hash table internal to the pyexpat module's copy of the expat library to avoid a denial of service due to hash collisions. Patch by David Malcolm with some modifications by the expat project.
373c7409 · Gregory P. Smith · 9fd170e2 · 8e91cf6a · 373c7409 · 373c7409
Commit 373c7409 authored Mar 14, 2012 by Gregory P. Smith
5 changed files
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -69,10 +69,23 @@ Extension Modules
  scanning, resulting in segfaults.
+What's New in Python 3.2.3 release candidate 2?
+===============================================
+*Release date: XX-Mar-2012*
+Library
+-------
+- Issue #14234: CVE-2012-0876: Randomize hashes of xml attributes in the hash
+  table internal to the pyexpat module's copy of the expat library to avoid a
+  denial of service due to hash collisions.  Patch by David Malcolm with some
+  modifications by the expat project.
 What's New in Python 3.2.3 release candidate 1?
 ===============================================
-*Release date: 24-Feb-2011*
+*Release date: 24-Feb-2012*
 Core and Builtins
 -----------------

--- a/Modules/expat/expat.h
+++ b/Modules/expat/expat.h
@@ -883,6 +883,15 @@ XMLPARSEAPI(int)
 XML_SetParamEntityParsing(XML_Parser parser,
                          enum XML_ParamEntityParsing parsing);
+/* Sets the hash salt to use for internal hash calculations.
+   Helps in preventing DoS attacks based on predicting hash
+   function behavior. This must be called before parsing is started.
+   Returns 1 if successful, 0 when called after parsing has started.
+*/
+XMLPARSEAPI(int)
+XML_SetHashSalt(XML_Parser parser,
+                unsigned long hash_salt);
 /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then
   XML_GetErrorCode returns information about the error.
 */

--- a/Modules/expat/pyexpatns.h
+++ b/Modules/expat/pyexpatns.h
@@ -97,6 +97,7 @@
 #define XML_SetEntityDeclHandler        PyExpat_XML_SetEntityDeclHandler
 #define XML_SetExternalEntityRefHandler PyExpat_XML_SetExternalEntityRefHandler
 #define XML_SetExternalEntityRefHandlerArg  PyExpat_XML_SetExternalEntityRefHandlerArg
+#define XML_SetHashSalt                 PyExpat_XML_SetHashSalt
 #define XML_SetNamespaceDeclHandler     PyExpat_XML_SetNamespaceDeclHandler
 #define XML_SetNotationDeclHandler      PyExpat_XML_SetNotationDeclHandler
 #define XML_SetNotStandaloneHandler     PyExpat_XML_SetNotStandaloneHandler

--- a/Modules/expat/xmlparse.c
+++ b/Modules/expat/xmlparse.c
@@ -17,6 +17,8 @@
 #include <stddef.h>
 #include <string.h>                     /* memset(), memcpy() */
 #include <assert.h>
+#include <limits.h>                     /* UINT_MAX */
+#include <time.h>                       /* time() */
 #include "expat.h"
@@ -387,12 +389,13 @@ static void dtdReset(DTD *p, const XML_Memory_Handling_Suite *ms);
 static void
 dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms);
 static int
-dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms);
+dtdCopy(XML_Parser oldParser,
+        DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms);
 static int
-copyEntityTable(HASH_TABLE *, STRING_POOL *, const HASH_TABLE *);
+copyEntityTable(XML_Parser oldParser,
+                HASH_TABLE *, STRING_POOL *, const HASH_TABLE *);
 static NAMED *
-lookup(HASH_TABLE *table, KEY name, size_t createSize);
+lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize);
 static void FASTCALL
 hashTableInit(HASH_TABLE *, const XML_Memory_Handling_Suite *ms);
 static void FASTCALL hashTableClear(HASH_TABLE *);
@@ -425,6 +428,9 @@ static ELEMENT_TYPE *
 getElementType(XML_Parser parser, const ENCODING *enc,
               const char *ptr, const char *end);
+static unsigned long generate_hash_secret_salt(void);
+static XML_Bool startParsing(XML_Parser parser);
 static XML_Parser
 parserCreate(const XML_Char *encodingName,
             const XML_Memory_Handling_Suite *memsuite,
@@ -542,6 +548,7 @@ struct XML_ParserStruct {
  XML_Bool m_useForeignDTD;
  enum XML_ParamEntityParsing m_paramEntityParsing;
 #endif
+  unsigned long m_hash_secret_salt;
 };
 #define MALLOC(s) (parser->m_mem.malloc_fcn((s)))
@@ -649,6 +656,7 @@ struct XML_ParserStruct {
 #define useForeignDTD (parser->m_useForeignDTD)
 #define paramEntityParsing (parser->m_paramEntityParsing)
 #endif /* XML_DTD */
+#define hash_secret_salt (parser->m_hash_secret_salt)
 XML_Parser XMLCALL
 XML_ParserCreate(const XML_Char *encodingName)
@@ -671,22 +679,36 @@ static const XML_Char implicitContext[] = {
  'n', 'a', 'm', 'e', 's', 'p', 'a', 'c', 'e', '\0'
 };
-XML_Parser XMLCALL
+static unsigned long
-XML_ParserCreate_MM(const XML_Char *encodingName,
+generate_hash_secret_salt(void)
-                    const XML_Memory_Handling_Suite *memsuite,
+{
-                    const XML_Char *nameSep)
+  unsigned int seed = time(NULL) % UINT_MAX;
+  srand(seed);
+  return rand();
+}
+static XML_Bool  /* only valid for root parser */
+startParsing(XML_Parser parser)
 {
-  XML_Parser parser = parserCreate(encodingName, memsuite, nameSep, NULL);
+  /* hash functions must be initialized before setContext() is called */
-  if (parser != NULL && ns) {
+  if (hash_secret_salt == 0)
+    hash_secret_salt = generate_hash_secret_salt();
+  if (ns) {
    /* implicit context only set for root parser, since child
       parsers (i.e. external entity parsers) will inherit it
    */
-    if (!setContext(parser, implicitContext)) {
+    return setContext(parser, implicitContext);
-      XML_ParserFree(parser);
-      return NULL;
-    }
  }
-  return parser;
+  return XML_TRUE;
+}
+XML_Parser XMLCALL
+XML_ParserCreate_MM(const XML_Char *encodingName,
+    const XML_Memory_Handling_Suite *memsuite,
+    const XML_Char *nameSep)
+{
+  return parserCreate(encodingName, memsuite, nameSep, NULL);
 }
 static XML_Parser
@@ -860,6 +882,7 @@ parserInit(XML_Parser parser, const XML_Char *encodingName)
  useForeignDTD = XML_FALSE;
  paramEntityParsing = XML_PARAM_ENTITY_PARSING_NEVER;
 #endif
+  hash_secret_salt = 0;
 }
 /* moves list of bindings to freeBindingList */
@@ -907,7 +930,7 @@ XML_ParserReset(XML_Parser parser, const XML_Char *encodingName)
  poolClear(&temp2Pool);
  parserInit(parser, encodingName);
  dtdReset(_dtd, &parser->m_mem);
-  return setContext(parser, implicitContext);
+  return XML_TRUE;
 }
 enum XML_Status XMLCALL
@@ -976,6 +999,12 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser,
  int oldInEntityValue = prologState.inEntityValue;
 #endif
  XML_Bool oldns_triplets = ns_triplets;
+  /* Note that the new parser shares the same hash secret as the old
+     parser, so that dtdCopy and copyEntityTable can lookup values
+     from hash tables associated with either parser without us having
+     to worry which hash secrets each table has.
+  */
+  unsigned long oldhash_secret_salt = hash_secret_salt;
 #ifdef XML_DTD
  if (!context)
@@ -1029,13 +1058,14 @@ XML_ExternalEntityParserCreate(XML_Parser oldParser,
    externalEntityRefHandlerArg = oldExternalEntityRefHandlerArg;
  defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
  ns_triplets = oldns_triplets;
+  hash_secret_salt = oldhash_secret_salt;
  parentParser = oldParser;
 #ifdef XML_DTD
  paramEntityParsing = oldParamEntityParsing;
  prologState.inEntityValue = oldInEntityValue;
  if (context) {
 #endif /* XML_DTD */
-    if (!dtdCopy(_dtd, oldDtd, &parser->m_mem)
+    if (!dtdCopy(oldParser, _dtd, oldDtd, &parser->m_mem)
      || !setContext(parser, context)) {
      XML_ParserFree(parser);
      return NULL;
@@ -1420,6 +1450,17 @@ XML_SetParamEntityParsing(XML_Parser parser,
 #endif
 }
+int XMLCALL
+XML_SetHashSalt(XML_Parser parser,
+                unsigned long hash_salt)
+{
+  /* block after XML_Parse()/XML_ParseBuffer() has been called */
+  if (ps_parsing == XML_PARSING || ps_parsing == XML_SUSPENDED)
+    return 0;
+  hash_secret_salt = hash_salt;
+  return 1;
+}
 enum XML_Status XMLCALL
 XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
 {
@@ -1430,6 +1471,11 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
  case XML_FINISHED:
    errorCode = XML_ERROR_FINISHED;
    return XML_STATUS_ERROR;
+  case XML_INITIALIZED:
+    if (parentParser == NULL && !startParsing(parser)) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return XML_STATUS_ERROR;
+    }
  default:
    ps_parsing = XML_PARSING;
  }
@@ -1488,11 +1534,13 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal)
        break;
      case XML_INITIALIZED:
      case XML_PARSING:
-        result = XML_STATUS_OK;
        if (isFinal) {
          ps_parsing = XML_FINISHED;
-          return result;
+          return XML_STATUS_OK;
        }
+      /* fall through */
+      default:
+        result = XML_STATUS_OK;
      }
    }
@@ -1553,6 +1601,11 @@ XML_ParseBuffer(XML_Parser parser, int len, int isFinal)
  case XML_FINISHED:
    errorCode = XML_ERROR_FINISHED;
    return XML_STATUS_ERROR;
+  case XML_INITIALIZED:
+    if (parentParser == NULL && !startParsing(parser)) {
+      errorCode = XML_ERROR_NO_MEMORY;
+      return XML_STATUS_ERROR;
+    }
  default:
    ps_parsing = XML_PARSING;
  }
@@ -2231,7 +2284,7 @@ doContent(XML_Parser parser,
                                next - enc->minBytesPerChar);
        if (!name)
          return XML_ERROR_NO_MEMORY;
-        entity = (ENTITY *)lookup(&dtd->generalEntities, name, 0);
+        entity = (ENTITY *)lookup(parser, &dtd->generalEntities, name, 0);
        poolDiscard(&dtd->pool);
        /* First, determine if a check for an existing declaration is needed;
           if yes, check that the entity exists, and that it is internal,
@@ -2618,12 +2671,12 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
  const XML_Char *localPart;
  /* lookup the element type name */
-  elementType = (ELEMENT_TYPE *)lookup(&dtd->elementTypes, tagNamePtr->str,0);
+  elementType = (ELEMENT_TYPE *)lookup(parser, &dtd->elementTypes, tagNamePtr->str,0);
  if (!elementType) {
    const XML_Char *name = poolCopyString(&dtd->pool, tagNamePtr->str);
    if (!name)
      return XML_ERROR_NO_MEMORY;
-    elementType = (ELEMENT_TYPE *)lookup(&dtd->elementTypes, name,
+    elementType = (ELEMENT_TYPE *)lookup(parser, &dtd->elementTypes, name,
                                         sizeof(ELEMENT_TYPE));
    if (!elementType)
      return XML_ERROR_NO_MEMORY;
@@ -2792,9 +2845,9 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
      if (s[-1] == 2) {  /* prefixed */
        ATTRIBUTE_ID *id;
        const BINDING *b;
-        unsigned long uriHash = 0;
+        unsigned long uriHash = hash_secret_salt;
        ((XML_Char *)s)[-1] = 0;  /* clear flag */
-        id = (ATTRIBUTE_ID *)lookup(&dtd->attributeIds, s, 0);
+        id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, s, 0);
        if (!id)
          return XML_ERROR_NO_MEMORY;
        b = id->prefix->binding;
@@ -2818,7 +2871,7 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
        } while (*s++);
        { /* Check hash table for duplicate of expanded name (uriName).
-             Derived from code in lookup(HASH_TABLE *table, ...).
+             Derived from code in lookup(parser, HASH_TABLE *table, ...).
          */
          unsigned char step = 0;
          unsigned long mask = nsAttsSize - 1;
@@ -3756,7 +3809,8 @@ doProlog(XML_Parser parser,
    case XML_ROLE_DOCTYPE_PUBLIC_ID:
 #ifdef XML_DTD
      useForeignDTD = XML_FALSE;
-      declEntity = (ENTITY *)lookup(&dtd->paramEntities,
+      declEntity = (ENTITY *)lookup(parser,
+                                    &dtd->paramEntities,
                                    externalSubsetName,
                                    sizeof(ENTITY));
      if (!declEntity)
@@ -3811,7 +3865,8 @@ doProlog(XML_Parser parser,
        XML_Bool hadParamEntityRefs = dtd->hasParamEntityRefs;
        dtd->hasParamEntityRefs = XML_TRUE;
        if (paramEntityParsing && externalEntityRefHandler) {
-          ENTITY *entity = (ENTITY *)lookup(&dtd->paramEntities,
+          ENTITY *entity = (ENTITY *)lookup(parser,
+                                            &dtd->paramEntities,
                                            externalSubsetName,
                                            sizeof(ENTITY));
          if (!entity)
@@ -3855,7 +3910,7 @@ doProlog(XML_Parser parser,
        XML_Bool hadParamEntityRefs = dtd->hasParamEntityRefs;
        dtd->hasParamEntityRefs = XML_TRUE;
        if (paramEntityParsing && externalEntityRefHandler) {
-          ENTITY *entity = (ENTITY *)lookup(&dtd->paramEntities,
+          ENTITY *entity = (ENTITY *)lookup(parser, &dtd->paramEntities,
                                            externalSubsetName,
                                            sizeof(ENTITY));
          if (!entity)
@@ -4069,7 +4124,8 @@ doProlog(XML_Parser parser,
      break;
 #else /* XML_DTD */
      if (!declEntity) {
-        declEntity = (ENTITY *)lookup(&dtd->paramEntities,
+        declEntity = (ENTITY *)lookup(parser,
+                                      &dtd->paramEntities,
                                      externalSubsetName,
                                      sizeof(ENTITY));
        if (!declEntity)
@@ -4144,7 +4200,7 @@ doProlog(XML_Parser parser,
          const XML_Char *name = poolStoreString(&dtd->pool, enc, s, next);
          if (!name)
            return XML_ERROR_NO_MEMORY;
-          declEntity = (ENTITY *)lookup(&dtd->generalEntities, name,
+          declEntity = (ENTITY *)lookup(parser, &dtd->generalEntities, name,
                                        sizeof(ENTITY));
          if (!declEntity)
            return XML_ERROR_NO_MEMORY;
@@ -4176,7 +4232,7 @@ doProlog(XML_Parser parser,
        const XML_Char *name = poolStoreString(&dtd->pool, enc, s, next);
        if (!name)
          return XML_ERROR_NO_MEMORY;
-        declEntity = (ENTITY *)lookup(&dtd->paramEntities,
+        declEntity = (ENTITY *)lookup(parser, &dtd->paramEntities,
                                           name, sizeof(ENTITY));
        if (!declEntity)
          return XML_ERROR_NO_MEMORY;
@@ -4358,7 +4414,7 @@ doProlog(XML_Parser parser,
                                next - enc->minBytesPerChar);
        if (!name)
          return XML_ERROR_NO_MEMORY;
-        entity = (ENTITY *)lookup(&dtd->paramEntities, name, 0);
+        entity = (ENTITY *)lookup(parser, &dtd->paramEntities, name, 0);
        poolDiscard(&dtd->pool);
        /* first, determine if a check for an existing declaration is needed;
           if yes, check that the entity exists, and that it is internal,
@@ -4882,7 +4938,7 @@ appendAttributeValue(XML_Parser parser, const ENCODING *enc, XML_Bool isCdata,
                               next - enc->minBytesPerChar);
        if (!name)
          return XML_ERROR_NO_MEMORY;
-        entity = (ENTITY *)lookup(&dtd->generalEntities, name, 0);
+        entity = (ENTITY *)lookup(parser, &dtd->generalEntities, name, 0);
        poolDiscard(&temp2Pool);
        /* First, determine if a check for an existing declaration is needed;
           if yes, check that the entity exists, and that it is internal.
@@ -4991,7 +5047,7 @@ storeEntityValue(XML_Parser parser,
          result = XML_ERROR_NO_MEMORY;
          goto endEntityValue;
        }
-        entity = (ENTITY *)lookup(&dtd->paramEntities, name, 0);
+        entity = (ENTITY *)lookup(parser, &dtd->paramEntities, name, 0);
        poolDiscard(&tempPool);
        if (!entity) {
          /* not a well-formedness error - see XML 1.0: WFC Entity Declared */
@@ -5281,7 +5337,7 @@ setElementTypePrefix(XML_Parser parser, ELEMENT_TYPE *elementType)
      }
      if (!poolAppendChar(&dtd->pool, XML_T('\0')))
        return 0;
-      prefix = (PREFIX *)lookup(&dtd->prefixes, poolStart(&dtd->pool),
+      prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
                                sizeof(PREFIX));
      if (!prefix)
        return 0;
@@ -5310,7 +5366,7 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
    return NULL;
  /* skip quotation mark - its storage will be re-used (like in name[-1]) */
  ++name;
-  id = (ATTRIBUTE_ID *)lookup(&dtd->attributeIds, name, sizeof(ATTRIBUTE_ID));
+  id = (ATTRIBUTE_ID *)lookup(parser, &dtd->attributeIds, name, sizeof(ATTRIBUTE_ID));
  if (!id)
    return NULL;
  if (id->name != name)
@@ -5328,7 +5384,7 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
      if (name[5] == XML_T('\0'))
        id->prefix = &dtd->defaultPrefix;
      else
-        id->prefix = (PREFIX *)lookup(&dtd->prefixes, name + 6, sizeof(PREFIX));
+        id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, name + 6, sizeof(PREFIX));
      id->xmlns = XML_TRUE;
    }
    else {
@@ -5343,7 +5399,7 @@ getAttributeId(XML_Parser parser, const ENCODING *enc,
          }
          if (!poolAppendChar(&dtd->pool, XML_T('\0')))
            return NULL;
-          id->prefix = (PREFIX *)lookup(&dtd->prefixes, poolStart(&dtd->pool),
+          id->prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&dtd->pool),
                                        sizeof(PREFIX));
          if (!id->prefix)
            return NULL;
@@ -5441,7 +5497,7 @@ setContext(XML_Parser parser, const XML_Char *context)
      ENTITY *e;
      if (!poolAppendChar(&tempPool, XML_T('\0')))
        return XML_FALSE;
-      e = (ENTITY *)lookup(&dtd->generalEntities, poolStart(&tempPool), 0);
+      e = (ENTITY *)lookup(parser, &dtd->generalEntities, poolStart(&tempPool), 0);
      if (e)
        e->open = XML_TRUE;
      if (*s != XML_T('\0'))
@@ -5456,7 +5512,7 @@ setContext(XML_Parser parser, const XML_Char *context)
      else {
        if (!poolAppendChar(&tempPool, XML_T('\0')))
          return XML_FALSE;
-        prefix = (PREFIX *)lookup(&dtd->prefixes, poolStart(&tempPool),
+        prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&tempPool),
                                  sizeof(PREFIX));
        if (!prefix)
          return XML_FALSE;
@@ -5620,7 +5676,7 @@ dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms)
   The new DTD has already been initialized.
 */
 static int
-dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
+dtdCopy(XML_Parser oldParser, DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
 {
  HASH_TABLE_ITER iter;
@@ -5635,7 +5691,7 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
    name = poolCopyString(&(newDtd->pool), oldP->name);
    if (!name)
      return 0;
-    if (!lookup(&(newDtd->prefixes), name, sizeof(PREFIX)))
+    if (!lookup(oldParser, &(newDtd->prefixes), name, sizeof(PREFIX)))
      return 0;
  }
@@ -5657,7 +5713,7 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
    if (!name)
      return 0;
    ++name;
-    newA = (ATTRIBUTE_ID *)lookup(&(newDtd->attributeIds), name,
+    newA = (ATTRIBUTE_ID *)lookup(oldParser, &(newDtd->attributeIds), name,
                                  sizeof(ATTRIBUTE_ID));
    if (!newA)
      return 0;
@@ -5667,7 +5723,7 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
      if (oldA->prefix == &oldDtd->defaultPrefix)
        newA->prefix = &newDtd->defaultPrefix;
      else
-        newA->prefix = (PREFIX *)lookup(&(newDtd->prefixes),
+        newA->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes),
                                        oldA->prefix->name, 0);
    }
  }
@@ -5686,7 +5742,7 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
    name = poolCopyString(&(newDtd->pool), oldE->name);
    if (!name)
      return 0;
-    newE = (ELEMENT_TYPE *)lookup(&(newDtd->elementTypes), name,
+    newE = (ELEMENT_TYPE *)lookup(oldParser, &(newDtd->elementTypes), name,
                                  sizeof(ELEMENT_TYPE));
    if (!newE)
      return 0;
@@ -5700,14 +5756,14 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
    }
    if (oldE->idAtt)
      newE->idAtt = (ATTRIBUTE_ID *)
-          lookup(&(newDtd->attributeIds), oldE->idAtt->name, 0);
+          lookup(oldParser, &(newDtd->attributeIds), oldE->idAtt->name, 0);
    newE->allocDefaultAtts = newE->nDefaultAtts = oldE->nDefaultAtts;
    if (oldE->prefix)
-      newE->prefix = (PREFIX *)lookup(&(newDtd->prefixes),
+      newE->prefix = (PREFIX *)lookup(oldParser, &(newDtd->prefixes),
                                      oldE->prefix->name, 0);
    for (i = 0; i < newE->nDefaultAtts; i++) {
      newE->defaultAtts[i].id = (ATTRIBUTE_ID *)
-          lookup(&(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
+          lookup(oldParser, &(newDtd->attributeIds), oldE->defaultAtts[i].id->name, 0);
      newE->defaultAtts[i].isCdata = oldE->defaultAtts[i].isCdata;
      if (oldE->defaultAtts[i].value) {
        newE->defaultAtts[i].value
@@ -5721,13 +5777,15 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
  }
  /* Copy the entity tables. */
-  if (!copyEntityTable(&(newDtd->generalEntities),
+  if (!copyEntityTable(oldParser,
+                       &(newDtd->generalEntities),
                       &(newDtd->pool),
                       &(oldDtd->generalEntities)))
      return 0;
 #ifdef XML_DTD
-  if (!copyEntityTable(&(newDtd->paramEntities),
+  if (!copyEntityTable(oldParser,
+                       &(newDtd->paramEntities),
                       &(newDtd->pool),
                       &(oldDtd->paramEntities)))
      return 0;
@@ -5750,7 +5808,8 @@ dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms)
 }  /* End dtdCopy */
 static int
-copyEntityTable(HASH_TABLE *newTable,
+copyEntityTable(XML_Parser oldParser,
+                HASH_TABLE *newTable,
                STRING_POOL *newPool,
                const HASH_TABLE *oldTable)
 {
@@ -5769,7 +5828,7 @@ copyEntityTable(HASH_TABLE *newTable,
    name = poolCopyString(newPool, oldE->name);
    if (!name)
      return 0;
-    newE = (ENTITY *)lookup(newTable, name, sizeof(ENTITY));
+    newE = (ENTITY *)lookup(oldParser, newTable, name, sizeof(ENTITY));
    if (!newE)
      return 0;
    if (oldE->systemId) {
@@ -5827,16 +5886,16 @@ keyeq(KEY s1, KEY s2)
 }
 static unsigned long FASTCALL
-hash(KEY s)
+hash(XML_Parser parser, KEY s)
 {
-  unsigned long h = 0;
+  unsigned long h = hash_secret_salt;
  while (*s)
    h = CHAR_HASH(h, *s++);
  return h;
 }
 static NAMED *
-lookup(HASH_TABLE *table, KEY name, size_t createSize)
+lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize)
 {
  size_t i;
  if (table->size == 0) {
@@ -5853,10 +5912,10 @@ lookup(HASH_TABLE *table, KEY name, size_t createSize)
      return NULL;
    }
    memset(table->v, 0, tsize);
-    i = hash(name) & ((unsigned long)table->size - 1);
+    i = hash(parser, name) & ((unsigned long)table->size - 1);
  }
  else {
-    unsigned long h = hash(name);
+    unsigned long h = hash(parser, name);
    unsigned long mask = (unsigned long)table->size - 1;
    unsigned char step = 0;
    i = h & mask;
@@ -5882,7 +5941,7 @@ lookup(HASH_TABLE *table, KEY name, size_t createSize)
      memset(newV, 0, tsize);
      for (i = 0; i < table->size; i++)
        if (table->v[i]) {
-          unsigned long newHash = hash(table->v[i]->name);
+          unsigned long newHash = hash(parser, table->v[i]->name);
          size_t j = newHash & newMask;
          step = 0;
          while (newV[j]) {
@@ -6257,7 +6316,7 @@ getElementType(XML_Parser parser,
  if (!name)
    return NULL;
-  ret = (ELEMENT_TYPE *) lookup(&dtd->elementTypes, name, sizeof(ELEMENT_TYPE));
+  ret = (ELEMENT_TYPE *) lookup(parser, &dtd->elementTypes, name, sizeof(ELEMENT_TYPE));
  if (!ret)
    return NULL;
  if (ret->name != name)

--- a/Modules/pyexpat.c
+++ b/Modules/pyexpat.c
@@ -1150,6 +1150,8 @@ newxmlparseobject(char *encoding, char *namespace_separator, PyObject *intern)
    else {
        self->itself = XML_ParserCreate(encoding);
    }
+    XML_SetHashSalt(self->itself,
+                    (unsigned long)_Py_HashSecret.prefix);
    self->intern = intern;
    Py_XINCREF(self->intern);
    PyObject_GC_Track(self);