[Django] #36572: Deprecation of constant_time_compare broke usage with mixed-type arguments.

Tue, 26 Aug 2025 01:46:53 -0700 

#36572: Deprecation of constant_time_compare broke usage with mixed-type 
arguments.
-------------------------------+--------------------------------------
     Reporter:  Sage Abdullah  |                     Type:  Bug
       Status:  new            |                Component:  Utilities
      Version:  dev            |                 Severity:  Normal
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
 The deprecation of `constant_time_compare` in #36546
 (0246f478882c26bc1fe293224653074cd46a90d0) removed the `force_bytes`
 conversion of the arguments passed to the function. The function now
 raises an error if passed arguments of different types, e.g. `bytes` and
 `str`. Test:


 {{{#!diff
 diff --git a/tests/utils_tests/test_crypto.py
 b/tests/utils_tests/test_crypto.py
 index bbedb3080d..4ed8167150 100644
 --- a/tests/utils_tests/test_crypto.py
 +++ b/tests/utils_tests/test_crypto.py
 @@ -21,6 +21,8 @@ class TestUtilsCryptoMisc(SimpleTestCase):
          self.assertFalse(constant_time_compare(b"spam", b"eggs"))
          self.assertTrue(constant_time_compare("spam", "spam"))
          self.assertFalse(constant_time_compare("spam", "eggs"))
 +        self.assertTrue(constant_time_compare(b"spam", "spam"))
 +        self.assertFalse(constant_time_compare("spam", b"eggs"))

      def test_constant_time_compare_deprecated(self):
          msg = (
 }}}

 The fix on my side is trivial (ensure both arguments are the same type),
 but I'm not sure if this was intentional for the deprecation process. If
 it were intentional, I'm happy to close this as a wontfix. Otherwise, I'm
 also happy to send a PR that adds the `force_bytes` back in.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36572>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070198e58eebe8-79192d5e-cb1e-46dd-b729-5439dfde1da5-000000%40eu-central-1.amazonses.com.

Reply via email to