[issue15061] hmac.secure_compare() leaks information about length of strings
Martin v. Löwis
report at bugs.python.org
Thu Jun 21 23:00:42 CEST 2012
Martin v. Löwis <martin at v.loewis.de> added the comment:
> The user can just do timingsafe_eq(a.decode('ascii'),
> b.decode('ascii')).
You mean .encode()?
> I do not see a necessity in support of unicode
> strings. Support ASCII strings will create the false impression that all
> strings are supported.
I agree.
> About code. Instead (PyBytes_CheckExact(a) && PyBytes_CheckExact(b)) you
> should use ((PyBytes_CheckExact(a) != 0) & (PyBytes_CheckExact(b) !=
> 0)).
What's the difference? They are the same.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue15061>
_______________________________________
More information about the Python-bugs-list
mailing list