Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

[py3] Fixed #17040 -- ported django.utils.crypto.constant_time_compare.

This is a private API; adding a type check is acceptable.
  • Loading branch information...
commit 62954ba04c86c4cea3b17a872ba6a0837730e17d 1 parent 54899d8
@aaugustin aaugustin authored
View
13 django/utils/crypto.py
@@ -24,6 +24,7 @@
from django.conf import settings
from django.utils.encoding import smart_bytes
+from django.utils import six
from django.utils.six.moves import xrange
@@ -81,15 +82,21 @@ def get_random_string(length=12,
def constant_time_compare(val1, val2):
"""
- Returns True if the two strings are equal, False otherwise.
+ Returns True if the two bytestrings are equal, False otherwise.
The time taken is independent of the number of characters that match.
"""
+ if not (isinstance(val1, bytes) and isinstance(val2, bytes)):

Breaks CSRF middleware in python 2.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ raise TypeError("constant_time_compare only supports bytes")
if len(val1) != len(val2):
return False
result = 0
- for x, y in zip(val1, val2):
- result |= ord(x) ^ ord(y)
+ if six.PY3:
+ for x, y in zip(val1, val2):
+ result |= x ^ y
+ else:
+ for x, y in zip(val1, val2):
+ result |= ord(x) ^ ord(y)
return result == 0
View
12 tests/regressiontests/utils/crypto.py
@@ -6,7 +6,17 @@
import hashlib
from django.utils import unittest
-from django.utils.crypto import pbkdf2
+from django.utils.crypto import constant_time_compare, pbkdf2
+
+
+class TestUtilsCryptoMisc(unittest.TestCase):
+
+ def test_constant_time_compare(self):
+ # It's hard to test for constant time, just test the result.
+ self.assertTrue(constant_time_compare(b'spam', b'spam'))
+ self.assertFalse(constant_time_compare(b'spam', b'eggs'))
+ with self.assertRaises(TypeError):
+ constant_time_compare('spam', 'spam')
class TestUtilsCryptoPBKDF2(unittest.TestCase):
View
2  tests/regressiontests/utils/tests.py
@@ -6,7 +6,7 @@
from .archive import TestBzip2Tar, TestGzipTar, TestTar, TestZip
from .baseconv import TestBaseConv
from .checksums import TestUtilsChecksums
-from .crypto import TestUtilsCryptoPBKDF2
+from .crypto import TestUtilsCryptoMisc, TestUtilsCryptoPBKDF2
from .datastructures import (DictWrapperTests, ImmutableListTests,
MergeDictTests, MultiValueDictTests, SortedDictTests)
from .dateformat import DateFormatTests
@georgemarshall

Breaks CSRF middleware in python 2.7

Please sign in to comment.
Something went wrong with that request. Please try again.