mikeboers / Flask-Images

On-demand resizing of images for Flask applications.

https://mikeboers.github.io/Flask-Images/

BSD 3-Clause "New" or "Revised" License

81 stars 43 forks source link

replace constant_time_compare with hmac.compare_digest #58

Closed jllopezpino closed 2 years ago

jllopezpino commented 3 years ago

Hi Mike,

My commit should fix the problem that I reported on #57. It would be great if you can review it and release a new version to pypi because latest itsdangerous version on pypi breaks this package.

Thanks!

mikeboers commented 3 years ago

Hi @jllopezpino,

Thanks for your patience.

I believe @invisiblek is correct, and it won't work as-is.

I think we ought to:

Use hmac.compare_digest as you did
Use hmac to do the signing for simplicity (ideally allowing use of the same settings that itsdangerous did so that signatures remain compatible
Remove all of the nonsense required for Py2 to work; I'm fine with only supporting >=3.3.

jllopezpino commented 3 years ago

Remove all of the nonsense required for Py2 to work; I'm fine with only supporting >=3.3.

I would go that way. But you are the maintainer here : )

jllopezpino commented 2 years ago

mikeboers / Flask-Images

replace constant_time_compare with hmac.compare_digest #58

60 already covers this