On Tue, May 19, 2020 at 8:49 PM David Mertz <me...@gnosis.cx> wrote:

>         elif fmt == "PBKDF2_SHA256":
>             h = base64.b64encode(base64.b64decode(text)[:32])
>             # a terrible hack follows, use "adapted base64" alphabet
> (using . instead of + and with no padding)
>             h = h.rstrip("=").replace("+", ".")
>             salt = base64.b64encode(salt)
>             salt = salt.rstrip("=").replace("+", ".")
>
> We actually know that base64 code should only produce at most 2 '='s as
> padding.  In this instance, the encoding comes immediately before the
> stripping.  However, perhaps some code would pass the encoded string and
> you wouldn't be as confident locally that extra '='s hadn't snuck in.
>
> If it existed, I think these lines would be good candidates for 'maxstrip'.
>

 Not a very strong ending 🤣

I may be misunderstanding, but it sounds like = is not acceptable in the
final result, so it's not enough to remove only 2 of 4 ='s. You want to
make sure nothing messed up your string. So if the code existed, what you'd
want is:

```
assert salt.count("=") <= 2
salt = salt.rstrip("=", "")
assert "=" not in salt
```
_______________________________________________
Python-ideas mailing list -- python-ideas@python.org
To unsubscribe send an email to python-ideas-le...@python.org
https://mail.python.org/mailman3/lists/python-ideas.python.org/
Message archived at 
https://mail.python.org/archives/list/python-ideas@python.org/message/TI3RETFLVKRWA6JMQCCDBVHZXESJCMYL/
Code of Conduct: http://python.org/psf/codeofconduct/

Reply via email to