#36546: Deprecate django.utils.crypto.constant_time_compare()
-------------------------------------+-------------------------------------
Reporter: Tim Graham | Owner: Pravin
Type: | Status: assigned
Cleanup/optimization |
Component: Utilities | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage:
| Someday/Maybe
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Pravin):
just confirming the technical approach for the internal dependency
removal:
1. I will be using **`secrets.compare_digest()`** for the replacement.
2. The implementation at the call site will include **`force_bytes()`**
on both arguments to ensure type safety:
`secrets.compare_digest(force_bytes(val1), force_bytes(val2))`.
3. The definition of `constant_time_compare()` itself will **not be
modified** to avoid breaking third-party applications that rely on its
current type-coercion logic.
**Example of the change:**
Old internal Django code:`constant_time_compare(val1, val2)`
New internal Django code: `secrets.compare_digest(force_bytes(val1),
force_bytes(val2))`
I am proceeding with the internal refactoring now.
--
Ticket URL: <https://code.djangoproject.com/ticket/36546#comment:21>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019adda5e8af-12874ee0-c933-46d0-a503-93fc1733f15d-000000%40eu-central-1.amazonses.com.
