Re: [Django] #36572: Deprecation of constant_time_compare broke usage with mixed-type arguments.

Tue, 26 Aug 2025 03:18:24 -0700 

#36572: Deprecation of constant_time_compare broke usage with mixed-type 
arguments.
-------------------------------+--------------------------------------
     Reporter:  Sage Abdullah  |                    Owner:  (none)
         Type:  Bug            |                   Status:  new
    Component:  Utilities      |                  Version:  dev
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+--------------------------------------
Comment (by Tim Graham):

 I hadn't noticed that the original patch changed the implementation of
 `constant_time_compare()` (removing `force_bytes()`). With this new
 information, that's certainly inappropriate.

 I suppose there's a larger question of whether we keep the
 `constant_time_compare()` API since we now learned it provides genuinely
 different functionality that third-party code is relying on (comparing
 strings with non-ASCII characters and arguments of different type) than
 `hmac.compare_digest()`. In argument against keeping it, it forces third-
 parties to identify these areas and add their own casting rather than
 imposing a casting penalty where it's unneeded.

 As far as I see, Django itself doesn't need to use
 `constant_time_compare()` internally since in always compares digests.
 Well, `hmac.compare_digest(request.session.get(HASH_SESSION_KEY, ""),
 session_auth_hash)` looks like the empty string needs to become a
 bytestring.

 At this point in the release cycle, probably it's best to revert the
 deprecation to consider this more carefully. A later first step could be
 to replace internal usage of `constant_time_compare()` with
 `compare_digest()` (part of the original patch, but checked more carefully
 to make sure a str/bytes comparison can't happen).
-- 
Ticket URL: <https://code.djangoproject.com/ticket/36572#comment:4>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion visit 
https://groups.google.com/d/msgid/django-updates/01070198e5e2b779-8f8827d2-618a-4e4a-8abd-f605d1c6c9f5-000000%40eu-central-1.amazonses.com.

Reply via email to