Merge branch 'safe_str_cmp' into 'master'

replace deprecated safe_str_cmp from werkzeug See merge request wcorrales/quart-csrf!1
2023-05-02 22:49:00 +00:00 · 2023-05-02 22:49:00 +00:00 · aa8d64bbd5
commit aa8d64bbd5
parent 17b3d3a2ce 2b880ef6c0
1 changed files with 18 additions and 1 deletions
--- a/quart_csrf/csrf.py
+++ b/quart_csrf/csrf.py
@ -1,12 +1,13 @@
 import hashlib
 import logging
 import os
+import hmac
 from urllib.parse import urlparse

 from itsdangerous import BadData, SignatureExpired, URLSafeTimedSerializer
 from quart import Blueprint, current_app, g, request, session
 from werkzeug.exceptions import BadRequest
-from werkzeug.security import safe_str_cmp
+# from werkzeug.security import safe_str_cmp
 from wtforms import ValidationError


@ -287,3 +288,19 @@ def same_origin(current_uri, compare_uri):
        and current.hostname == compare.hostname
        and current.port == compare.port
    )
+
+
+def safe_str_cmp(a: str, b: str) -> bool:
+    """This function compares strings in somewhat constant time. This
+    requires that the length of at least one string is known in advance.
+
+    Returns `True` if the two strings are equal, or `False` if they are not.
+    """
+
+    if isinstance(a, str):
+        a = a.encode("utf-8")  # type: ignore
+
+    if isinstance(b, str):
+        b = b.encode("utf-8")  # type: ignore
+
+    return hmac.compare_digest(a, b)