search

maxcountryman / flask-seasurf

SeaSurf is a Flask extension for preventing cross-site request forgery (CSRF).
http://readthedocs.org/docs/flask-seasurf/
Other
190 stars 49 forks source link

Use 'hmac.compare_digest' if available #105

Closed c4rlo closed 2 years ago

c4rlo commented 2 years ago

...instead of werkzeug.security.safe_str_cmp, which is deprecated as of Werkzeug 2.0 and emits a DeprecationWarning on usage:

flask_seasurf.py:317: DeprecationWarning: 'safe_str_cmp' is deprecated and will be removed in Werkzeug 2.1. Use 'hmac.compare_digest' instead.
  if some_none or not safe_str_cmp(request_csrf_token, server_csrf_token):

Note that hmac.compare_digest is available in Python 2.7.7+ and Python 3.3+. In order not to make things worse for older Python versions, we fall back to the old behaviour if it is unavailable.

rspitler commented 2 years ago

With the latest Flask / Werkzeug release the use of safe_str_cmp now breaks flask-seasurf. can we get this merged? Please ...