#36546: Deprecate django.utils.crypto.constant_time_compare()
-------------------------------------+-------------------------------------
Reporter: Tim Graham | Type:
| Cleanup/optimization
Status: new | Component: Utilities
Version: dev | Severity: Normal
Keywords: | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Historically it was a bespoke implementation (added in
45c7f427ce830dd1b2f636fb9c244fda9201cadb) before the stdlib implementation
was preferred (58176dee88ac7c1038c7f685af023e634b143d02). Now it's just
alias of `secrets.compare_digest` (which itself is
[https://github.com/python/cpython/blob/dd079db4b96fa474b8e6d71ae9db662c4ce28caf/Lib/secrets.py#L17
an alias] of `hmac.compare_digest`, which was used before
1d0bab0bfd77edcf1228d45bf654457a8ff1890d).
`constant_time_compare()` does call `force_bytes()` on its arguments but
this was a workaround for Python 2.7
(7e3cf3cfd27e53ced0a1fc65a02849f78a292d3d) and no tests in Django's test
suite fail with those calls removed.
--
Ticket URL: <https://code.djangoproject.com/ticket/36546>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/010701989bb0f1fa-1d78120c-5aa6-4ccd-874c-54116cbdddc5-000000%40eu-central-1.amazonses.com.
