Hello community,
here is the log from the commit of package python-Flask-HTTPAuth for
openSUSE:Leap:15.2 checked in at 2020-02-19 18:48:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/python-Flask-HTTPAuth (Old)
and /work/SRC/openSUSE:Leap:15.2/.python-Flask-HTTPAuth.new.26092 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Flask-HTTPAuth"
Wed Feb 19 18:48:48 2020 rev:3 rq:776301 version:3.3.0
Changes:
--------
---
/work/SRC/openSUSE:Leap:15.2/python-Flask-HTTPAuth/python-Flask-HTTPAuth.changes
2020-01-15 15:45:59.975342452 +0100
+++
/work/SRC/openSUSE:Leap:15.2/.python-Flask-HTTPAuth.new.26092/python-Flask-HTTPAuth.changes
2020-02-19 18:48:49.315038269 +0100
@@ -1,0 +2,8 @@
+Tue May 28 07:33:27 UTC 2019 - Tomáš Chvátal <[email protected]>
+
+- Update to 3.3.0:
+ * Use constant time string comparisons #82 (commit1, commit2) (thanks
Brendan Long!)
+ * Edited and changed the usage of JWT, because in fact the code and
documentation uses JWS tokens. #79 (commit) (thanks unuseless!)
+ * Documentation improvements #77 (commit)
+
+-------------------------------------------------------------------
Old:
----
Flask-HTTPAuth-3.2.4.tar.gz
New:
----
Flask-HTTPAuth-3.3.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-Flask-HTTPAuth.spec ++++++
--- /var/tmp/diff_new_pack.6oXSdB/_old 2020-02-19 18:48:49.627038601 +0100
+++ /var/tmp/diff_new_pack.6oXSdB/_new 2020-02-19 18:48:49.631038605 +0100
@@ -1,7 +1,7 @@
#
# spec file for package python-Flask-HTTPAuth
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 Dr. Axel Braun
#
# All modifications and additions to the file contributed by third parties
@@ -20,7 +20,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define modname Flask-HTTPAuth
Name: python-%{modname}
-Version: 3.2.4
+Version: 3.3.0
Release: 0
Summary: Basic and Digest HTTP authentication for Flask routes
License: MIT
++++++ Flask-HTTPAuth-3.2.4.tar.gz -> Flask-HTTPAuth-3.3.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/Flask-HTTPAuth-3.2.4/Flask_HTTPAuth.egg-info/PKG-INFO
new/Flask-HTTPAuth-3.3.0/Flask_HTTPAuth.egg-info/PKG-INFO
--- old/Flask-HTTPAuth-3.2.4/Flask_HTTPAuth.egg-info/PKG-INFO 2018-06-18
00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/Flask_HTTPAuth.egg-info/PKG-INFO 2019-05-19
12:24:54.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Flask-HTTPAuth
-Version: 3.2.4
+Version: 3.3.0
Summary: Basic and Digest HTTP authentication for Flask routes
Home-page: http://github.com/miguelgrinberg/flask-httpauth/
Author: Miguel Grinberg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/PKG-INFO
new/Flask-HTTPAuth-3.3.0/PKG-INFO
--- old/Flask-HTTPAuth-3.2.4/PKG-INFO 2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/PKG-INFO 2019-05-19 12:24:55.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Flask-HTTPAuth
-Version: 3.2.4
+Version: 3.3.0
Summary: Basic and Digest HTTP authentication for Flask routes
Home-page: http://github.com/miguelgrinberg/flask-httpauth/
Author: Miguel Grinberg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/docs/index.rst
new/Flask-HTTPAuth-3.3.0/docs/index.rst
--- old/Flask-HTTPAuth-3.2.4/docs/index.rst 2018-06-15 08:18:36.000000000
+0200
+++ new/Flask-HTTPAuth-3.3.0/docs/index.rst 2019-05-19 11:33:53.000000000
+0200
@@ -44,7 +44,7 @@
@auth.hash_password
def hash_pw(password):
- return md5(password).hexdigest()
+ return md5(password.encode('utf-8')).hexdigest()
When the ``hash_password`` callback is provided access will be granted when
``get_password(username) == hash_password(password)``.
@@ -162,12 +162,17 @@
The ``verify_token`` callback receives the authentication credentials provided
by the client on the ``Authorization`` header. This can be a simple token, or
can contain multiple arguments, which the function will have to parse and
extract from the string.
-In the examples directory you can find a complete example that uses JWT tokens.
+In the examples directory you can find a complete example that uses
+JWS tokens. JWS tokens are similar to JWT tokens. However using JWT
+tokens would require an external dependency to handle JWT.
Using Multiple Authentication Schemes
-------------------------------------
-Applications sometimes need to support a combination of authentication
methods. For example, a web application could be authenticated by sending
client id and secret over basic authentication, while third party API clients
use a JWT bearer token. The `MultiAuth` class allows you to protect a route
with more than one authentication object. To grant access to the endpoint, one
of the authentication methods must validate.
+Applications sometimes need to support a combination of authentication
+methods. For example, a web application could be authenticated by
+sending client id and secret over basic authentication, while third
+party API clients use a JWS or JWT bearer token. The `MultiAuth` class allows
you to protect a route with more than one authentication object. To grant
access to the endpoint, one of the authentication methods must validate.
In the examples directory you can find a complete example that uses basic and
token authentication.
@@ -327,11 +332,11 @@
This class handles HTTP authentication with custom schemes for Flask routes.
- .. method:: __init__(scheme, realm=None)
+ .. method:: __init__(scheme='Bearer', realm=None)
Create a token authentication object.
- The ``scheme`` argument must be provided to be used in the
``WWW-Authenticate`` response.
+ The ``scheme`` argument can be use to specify the scheme to be used in the
``WWW-Authenticate`` response.
The ``realm`` argument can be used to provide an application defined realm
with the ``WWW-Authenticate`` header.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/flask_httpauth.py
new/Flask-HTTPAuth-3.3.0/flask_httpauth.py
--- old/Flask-HTTPAuth-3.2.4/flask_httpauth.py 2018-06-18 00:27:44.000000000
+0200
+++ new/Flask-HTTPAuth-3.3.0/flask_httpauth.py 2019-05-19 12:24:47.000000000
+0200
@@ -13,8 +13,9 @@
from random import Random, SystemRandom
from flask import request, make_response, session
from werkzeug.datastructures import Authorization
+from werkzeug.security import safe_str_cmp
-__version__ = '3.2.4'
+__version__ = '3.3.0'
class HTTPAuth(object):
@@ -143,7 +144,8 @@
client_password = self.hash_password_callback(username,
client_password)
return client_password is not None and \
- client_password == stored_password
+ stored_password is not None and \
+ safe_str_cmp(client_password, stored_password)
class HTTPDigestAuth(HTTPAuth):
@@ -169,14 +171,20 @@
return session["auth_nonce"]
def default_verify_nonce(nonce):
- return nonce == session.get("auth_nonce")
+ session_nonce = session.get("auth_nonce")
+ if nonce is None or session_nonce is None:
+ return False
+ return safe_str_cmp(nonce, session_nonce)
def default_generate_opaque():
session["auth_opaque"] = _generate_random()
return session["auth_opaque"]
def default_verify_opaque(opaque):
- return opaque == session.get("auth_opaque")
+ session_opaque = session.get("auth_opaque")
+ if opaque is None or session_opaque is None:
+ return False
+ return safe_str_cmp(opaque, session_opaque)
self.generate_nonce(default_generate_nonce)
self.generate_opaque(default_generate_opaque)
@@ -235,7 +243,7 @@
ha2 = md5(a2.encode('utf-8')).hexdigest()
a3 = ha1 + ":" + auth.nonce + ":" + ha2
response = md5(a3.encode('utf-8')).hexdigest()
- return response == auth.response
+ return safe_str_cmp(response, auth.response)
class HTTPTokenAuth(HTTPAuth):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/setup.cfg
new/Flask-HTTPAuth-3.3.0/setup.cfg
--- old/Flask-HTTPAuth-3.2.4/setup.cfg 2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/setup.cfg 2019-05-19 12:24:55.000000000 +0200
@@ -1,5 +1,4 @@
[egg_info]
tag_build =
tag_date = 0
-tag_svn_revision = 0
