Giters

maxcountryman / flask-bcrypt

Flask-Bcrypt is a Flask extension that provides bcrypt hashing utilities for your application.

Home Page:http://readthedocs.org/docs/flask-bcrypt/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

DeprecationWarning: flask_bcrypt.check_password_hash uses now deprecated werkzeug.security.safe_str_cm

msarfati opened this issue · comments

commented

flask_bcrypt.check_password_hash uses the method werkzeug.security.safe_str_cm that has been marked deprecated.

flask-bcrypt/flask_bcrypt.py

Line 235 in 0a1e8fe

return safe_str_cmp(bcrypt.hashpw(password, pw_hash), pw_hash)

https://github.com/pallets/werkzeug/blob/af160e0b6b7ddd81c22f1652c728ff5ac72d5c74/src/werkzeug/security.py#L103
(snippet as of the time of this post:)

def safe_str_cmp(a: str, b: str) -> bool:
    """This function compares strings in somewhat constant time.  This
    requires that the length of at least one string is known in advance.
    Returns `True` if the two strings are equal, or `False` if they are not.
    .. deprecated:: 2.0
        Will be removed in Werkzeug 2.1. Use
        :func:`hmac.compare_digest` instead.
    .. versionadded:: 0.7
    """
    warnings.warn(
        "'safe_str_cmp' is deprecated and will be removed in Werkzeug"
        " 2.1. Use 'hmac.compare_digest' instead.",
        DeprecationWarning,
        stacklevel=2,
    )

Have you guys made any plans to move to using hmac.compare_digest, as Werkzeug recommends? If not, I can submit a PR.

commented

A PR would be appreciated. Thank you.

commented

@maxcountryman I've submitted a PR to address this issue: #70

commented

Closed with #70.