[issue15061] hmac.secure_compare() leaks information about length of strings
Antoine Pitrou
report at bugs.python.org
Fri Jun 15 14:53:15 CEST 2012
Antoine Pitrou <pitrou at free.fr> added the comment:
> > The point of supporting unicode would precisely be to avoid a
> > unicode->bytes conversion when unicode strings are received.
>
> A byte-wise comparison of the memory representation would work IFF both
> sides have the same type and unicode kind. Anything else could give away
> details of the content.
My proposal was to only allow them on ASCII strings. Any other unicode
kind would raise an error (perhaps NotImplementedError).
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________
More information about the Python-bugs-list
mailing list