Fixed constant_time_compare on Python 2.7.7

Python 2.7.7 includes compare_digest in the hmac module, but it requires both arguments to have the same type. This is usually not a problem on Python 3 since everything is text, but we have mixed unicode and str on Python 2 -- hence make sure everything is bytes before feeding it into compare_digest.
2025-10-31 09:41:08 +00:00 · 2014-05-26 13:52:37 +02:00
parent 32586b0ba4
commit 7e3cf3cfd2
1 changed files with 2 additions and 1 deletions
--- a/django/utils/crypto.py
+++ b/django/utils/crypto.py
@@ -79,7 +79,8 @@ def get_random_string(length=12,

 if hasattr(hmac, "compare_digest"):
    # Prefer the stdlib implementation, when available.
-    constant_time_compare = hmac.compare_digest
+    def constant_time_compare(val1, val2):
+        return hmac.compare_digest(force_bytes(val1), force_bytes(val2))
 else:
    def constant_time_compare(val1, val2):
        """