Compatibility with Pythons older than 2.7.7 #42
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
medmunds
reviewed
Oct 31, 2016
| else: | ||
| def compare_digest(s1, s2): | ||
| return s1 == s2 | ||
|
|
There was a problem hiding this comment.
I'd suggest instead switching to django.utils.crypto.constant_time_compare, which is available on all Django versions we support. That preserves the security aspect of the code (unlike a simple == compare).
| @@ -34,7 +42,7 @@ def validate_request(self, request): | |||
| raise AnymailWebhookValidationFailure("Mailgun webhook called without required security fields") | |||
| expected_signature = hmac.new(key=self.api_key, msg='{}{}'.format(timestamp, token).encode('ascii'), | |||
| digestmod=hashlib.sha256).hexdigest() | |||
| if not hmac.compare_digest(signature, expected_signature): | |||
| if not compare_digest(signature, expected_signature): | |||
There was a problem hiding this comment.
The same change is also needed in the Mandrill webhook.
`EnvironmentVarGuard` is not safe to use outside python-internal development. Additionally, this test was failing in Python 2.7.3 From https://docs.python.org/2/library/test.html: > Any use of this package outside of Python’s standard library is > discouraged as code mentioned here can change or be removed without > notice between releases of Python
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #41