Re: [Django] #36572: Deprecation of constant_time_compare broke usage with mixed-type arguments.

Tue, 26 Aug 2025 02:22:49 -0700 

#36572: Deprecation of constant_time_compare broke usage with mixed-type 
arguments.
-------------------------------+--------------------------------------
     Reporter:  Sage Abdullah  |                    Owner:  (none)
         Type:  Bug            |                   Status:  new
    Component:  Utilities      |                  Version:  dev
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Comment (by Sage Abdullah):

 > Is this something you spotted and made you concerned or has this broken
 something on a project?

 I spotted this in Wagtail (ref:
 https://github.com/wagtail/wagtail/pull/13363) because apparently our use
 of the function involves passing mixed-type arguments to the function,
 which likely was unintentional.

 However, I can see another issue with leaving out `force_bytes`: the `str`
 vs. `str` use of `hmac.compare_digest()`
 [https://docs.python.org/3/library/hmac.html#hmac.compare_digest only
 works with ASCII characters]. This means the following test now also
 errors:

 {{{#!diff
 diff --git a/tests/utils_tests/test_crypto.py
 b/tests/utils_tests/test_crypto.py
 index bbedb3080d..e1795c766e 100644
 --- a/tests/utils_tests/test_crypto.py
 +++ b/tests/utils_tests/test_crypto.py
 @@ -21,6 +21,10 @@ class TestUtilsCryptoMisc(SimpleTestCase):
          self.assertFalse(constant_time_compare(b"spam", b"eggs"))
          self.assertTrue(constant_time_compare("spam", "spam"))
          self.assertFalse(constant_time_compare("spam", "eggs"))
 +        self.assertTrue(constant_time_compare(b"spam", "spam"))
 +        self.assertFalse(constant_time_compare("spam", b"eggs"))
 +        self.assertTrue(constant_time_compare("ありがとう", "ありがとう
 "))
 +        self.assertFalse(constant_time_compare("ありがとう", "おはよう"))

      def test_constant_time_compare_deprecated(self):
          msg = (
 }}}

 If developers use the utility function to e.g. compare passwords, and they
 just pass plain strings to the function, it no longer works if the string
 contains non-ASCII characters.
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36572#comment:3>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070198e5afd405-6132ff26-e146-4696-a139-417dd7681646-000000%40eu-central-1.amazonses.com.

Reply via email to