[issue15061] hmac.secure_compare() leaks information about length of strings
Christian Heimes
report at bugs.python.org
Thu Jun 14 14:01:34 CEST 2012
Christian Heimes <lists at cheimes.de> added the comment:
I've two suggestions:
* rename the function to 'total_compare'. The name explains what the function actually does in comparison to '=='. It takes the total input values into account instead of using short circuit comparison.
* restrict the function to bytes. The implementation works well with bytes but not with unicode. It's not an issue since hash digests are bytes. The docs could explain the issue with unicode and how user code can implement a reasonable safe conversion.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________
More information about the Python-bugs-list
mailing list