diff options
author | David Lord <davidism@gmail.com> | 2020-10-15 13:29:21 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-10-15 13:29:21 -0700 |
commit | 90dbb274077b8d845ca0e54f85daad8c028f1e66 (patch) | |
tree | d41ce338e9a9d00ccede227921dbc666ce9f845b | |
parent | 7b3e34debff6ef51c2d06cdf2202f36153438809 (diff) | |
parent | 4aae4efbd4e6b0849b884200810097ce199a118a (diff) | |
download | werkzeug-90dbb274077b8d845ca0e54f85daad8c028f1e66.tar.gz |
Merge pull request #1942 from illia-v/drop-unreachable-code
Drop unreachable code in `safe_str_cmp`
-rw-r--r-- | src/werkzeug/security.py | 13 | ||||
-rw-r--r-- | tests/test_security.py | 12 |
2 files changed, 1 insertions, 24 deletions
diff --git a/src/werkzeug/security.py b/src/werkzeug/security.py index 905d00f0..7f7ddcf6 100644 --- a/src/werkzeug/security.py +++ b/src/werkzeug/security.py @@ -18,7 +18,6 @@ SALT_CHARS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" DEFAULT_PBKDF2_ITERATIONS = 260000 _pack_int = Struct(">I").pack -_builtin_safe_str_cmp = getattr(hmac, "compare_digest", None) _os_alt_seps = list( sep for sep in [os.path.sep, os.path.altsep] if sep not in (None, "/") ) @@ -98,17 +97,7 @@ def safe_str_cmp(a: str, b: str) -> bool: if isinstance(b, str): b = b.encode("utf-8") # type: ignore - if _builtin_safe_str_cmp is not None: - return _builtin_safe_str_cmp(a, b) - - if len(a) != len(b): - return False - - rv = 0 - for x, y in zip(a, b): - rv |= x ^ y # type: ignore - - return rv == 0 + return hmac.compare_digest(a, b) def gen_salt(length: int) -> str: diff --git a/tests/test_security.py b/tests/test_security.py index faa3c497..626c6eb8 100644 --- a/tests/test_security.py +++ b/tests/test_security.py @@ -20,18 +20,6 @@ def test_safe_str_cmp(): assert safe_str_cmp("aaa", "aaa") is True -def test_safe_str_cmp_no_builtin(): - import werkzeug.security as sec - - prev_value = sec._builtin_safe_str_cmp - sec._builtin_safe_str_cmp = None - assert safe_str_cmp("a", "ab") is False - - assert safe_str_cmp("str", "str") is True - assert safe_str_cmp("str1", "str2") is False - sec._builtin_safe_str_cmp = prev_value - - def test_password_hashing(): hash0 = generate_password_hash("default") assert check_password_hash(hash0, "default") |