diff options
author | Marcel Hellkamp <marc@gsites.de> | 2016-02-12 10:53:10 +0100 |
---|---|---|
committer | Marcel Hellkamp <marc@gsites.de> | 2016-02-12 10:53:10 +0100 |
commit | 8f2b7efd277e0c9de0da27621af70608d28efb25 (patch) | |
tree | d803d3a4b573fafa008cffc29e146adf9b080311 | |
parent | 29974680ca1f2110da8c89ee29d697b00789c2b4 (diff) | |
parent | 08c03eee194f1251eb7d1e787c20340ff2b5d796 (diff) | |
download | bottle-8f2b7efd277e0c9de0da27621af70608d28efb25.tar.gz |
Merge pull request #821 from omtinez/master
Import module hashlib and change default hashing algorithm of HMAC from MD5 to SHA256
-rw-r--r-- | bottle.py | 13 |
1 files changed, 8 insertions, 5 deletions
@@ -68,7 +68,7 @@ if __name__ == '__main__': import base64, cgi, email.utils, functools, hmac, imp, itertools, mimetypes,\ - os, re, tempfile, threading, time, warnings + os, re, tempfile, threading, time, warnings, hashlib from types import FunctionType from datetime import date as datedate, datetime, timedelta @@ -2834,19 +2834,22 @@ def _lscmp(a, b): for x, y in zip(a, b)) and len(a) == len(b) -def cookie_encode(data, key): +def cookie_encode(data, key, digestmod=None): """ Encode and sign a pickle-able object. Return a (byte) string """ + digestmod = digestmod or hashlib.sha256 msg = base64.b64encode(pickle.dumps(data, -1)) - sig = base64.b64encode(hmac.new(tob(key), msg).digest()) + sig = base64.b64encode(hmac.new(tob(key), msg, digestmod=digestmod).digest()) return tob('!') + sig + tob('?') + msg -def cookie_decode(data, key): +def cookie_decode(data, key, digestmod=None): """ Verify and decode an encoded string. Return an object or None.""" data = tob(data) if cookie_is_encoded(data): sig, msg = data.split(tob('?'), 1) - if _lscmp(sig[1:], base64.b64encode(hmac.new(tob(key), msg).digest())): + digestmod = digestmod or hashlib.sha256 + hashed = hmac.new(tob(key), msg, digestmod=digestmod).digest() + if _lscmp(sig[1:], base64.b64encode(hashed)): return pickle.loads(base64.b64decode(msg)) return None |