Hello community,
here is the log from the commit of package python-Flask-HTTPAuth for openSUSE:Factory checked in at 2019-06-01 09:47:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Flask-HTTPAuth (Old)
and /work/SRC/openSUSE:Factory/.python-Flask-HTTPAuth.new.5148 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-Flask-HTTPAuth"
Sat Jun 1 09:47:01 2019 rev:2 rq:705806 version:3.3.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/python-Flask-HTTPAuth/python-Flask-HTTPAuth.changes 2018-10-31 13:21:11.799071040 +0100
+++ /work/SRC/openSUSE:Factory/.python-Flask-HTTPAuth.new.5148/python-Flask-HTTPAuth.changes 2019-06-01 09:47:03.631374252 +0200
@@ -1,0 +2,8 @@
+Tue May 28 07:33:27 UTC 2019 - Tomáš Chvátal
+
+- Update to 3.3.0:
+ * Use constant time string comparisons #82 (commit1, commit2) (thanks Brendan Long!)
+ * Edited and changed the usage of JWT, because in fact the code and documentation uses JWS tokens. #79 (commit) (thanks unuseless!)
+ * Documentation improvements #77 (commit)
+
+-------------------------------------------------------------------
Old:
----
Flask-HTTPAuth-3.2.4.tar.gz
New:
----
Flask-HTTPAuth-3.3.0.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ python-Flask-HTTPAuth.spec ++++++
--- /var/tmp/diff_new_pack.Wx16wU/_old 2019-06-01 09:47:05.075373759 +0200
+++ /var/tmp/diff_new_pack.Wx16wU/_new 2019-06-01 09:47:05.075373759 +0200
@@ -1,7 +1,7 @@
#
# spec file for package python-Flask-HTTPAuth
#
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2017 Dr. Axel Braun
#
# All modifications and additions to the file contributed by third parties
@@ -20,7 +20,7 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define modname Flask-HTTPAuth
Name: python-%{modname}
-Version: 3.2.4
+Version: 3.3.0
Release: 0
Summary: Basic and Digest HTTP authentication for Flask routes
License: MIT
++++++ Flask-HTTPAuth-3.2.4.tar.gz -> Flask-HTTPAuth-3.3.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/Flask_HTTPAuth.egg-info/PKG-INFO new/Flask-HTTPAuth-3.3.0/Flask_HTTPAuth.egg-info/PKG-INFO
--- old/Flask-HTTPAuth-3.2.4/Flask_HTTPAuth.egg-info/PKG-INFO 2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/Flask_HTTPAuth.egg-info/PKG-INFO 2019-05-19 12:24:54.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Flask-HTTPAuth
-Version: 3.2.4
+Version: 3.3.0
Summary: Basic and Digest HTTP authentication for Flask routes
Home-page: http://github.com/miguelgrinberg/flask-httpauth/
Author: Miguel Grinberg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/PKG-INFO new/Flask-HTTPAuth-3.3.0/PKG-INFO
--- old/Flask-HTTPAuth-3.2.4/PKG-INFO 2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/PKG-INFO 2019-05-19 12:24:55.000000000 +0200
@@ -1,6 +1,6 @@
Metadata-Version: 1.1
Name: Flask-HTTPAuth
-Version: 3.2.4
+Version: 3.3.0
Summary: Basic and Digest HTTP authentication for Flask routes
Home-page: http://github.com/miguelgrinberg/flask-httpauth/
Author: Miguel Grinberg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/docs/index.rst new/Flask-HTTPAuth-3.3.0/docs/index.rst
--- old/Flask-HTTPAuth-3.2.4/docs/index.rst 2018-06-15 08:18:36.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/docs/index.rst 2019-05-19 11:33:53.000000000 +0200
@@ -44,7 +44,7 @@
@auth.hash_password
def hash_pw(password):
- return md5(password).hexdigest()
+ return md5(password.encode('utf-8')).hexdigest()
When the ``hash_password`` callback is provided access will be granted when ``get_password(username) == hash_password(password)``.
@@ -162,12 +162,17 @@
The ``verify_token`` callback receives the authentication credentials provided by the client on the ``Authorization`` header. This can be a simple token, or can contain multiple arguments, which the function will have to parse and extract from the string.
-In the examples directory you can find a complete example that uses JWT tokens.
+In the examples directory you can find a complete example that uses
+JWS tokens. JWS tokens are similar to JWT tokens. However using JWT
+tokens would require an external dependency to handle JWT.
Using Multiple Authentication Schemes
-------------------------------------
-Applications sometimes need to support a combination of authentication methods. For example, a web application could be authenticated by sending client id and secret over basic authentication, while third party API clients use a JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate.
+Applications sometimes need to support a combination of authentication
+methods. For example, a web application could be authenticated by
+sending client id and secret over basic authentication, while third
+party API clients use a JWS or JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate.
In the examples directory you can find a complete example that uses basic and token authentication.
@@ -327,11 +332,11 @@
This class handles HTTP authentication with custom schemes for Flask routes.
- .. method:: __init__(scheme, realm=None)
+ .. method:: __init__(scheme='Bearer', realm=None)
Create a token authentication object.
- The ``scheme`` argument must be provided to be used in the ``WWW-Authenticate`` response.
+ The ``scheme`` argument can be use to specify the scheme to be used in the ``WWW-Authenticate`` response.
The ``realm`` argument can be used to provide an application defined realm with the ``WWW-Authenticate`` header.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/flask_httpauth.py new/Flask-HTTPAuth-3.3.0/flask_httpauth.py
--- old/Flask-HTTPAuth-3.2.4/flask_httpauth.py 2018-06-18 00:27:44.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/flask_httpauth.py 2019-05-19 12:24:47.000000000 +0200
@@ -13,8 +13,9 @@
from random import Random, SystemRandom
from flask import request, make_response, session
from werkzeug.datastructures import Authorization
+from werkzeug.security import safe_str_cmp
-__version__ = '3.2.4'
+__version__ = '3.3.0'
class HTTPAuth(object):
@@ -143,7 +144,8 @@
client_password = self.hash_password_callback(username,
client_password)
return client_password is not None and \
- client_password == stored_password
+ stored_password is not None and \
+ safe_str_cmp(client_password, stored_password)
class HTTPDigestAuth(HTTPAuth):
@@ -169,14 +171,20 @@
return session["auth_nonce"]
def default_verify_nonce(nonce):
- return nonce == session.get("auth_nonce")
+ session_nonce = session.get("auth_nonce")
+ if nonce is None or session_nonce is None:
+ return False
+ return safe_str_cmp(nonce, session_nonce)
def default_generate_opaque():
session["auth_opaque"] = _generate_random()
return session["auth_opaque"]
def default_verify_opaque(opaque):
- return opaque == session.get("auth_opaque")
+ session_opaque = session.get("auth_opaque")
+ if opaque is None or session_opaque is None:
+ return False
+ return safe_str_cmp(opaque, session_opaque)
self.generate_nonce(default_generate_nonce)
self.generate_opaque(default_generate_opaque)
@@ -235,7 +243,7 @@
ha2 = md5(a2.encode('utf-8')).hexdigest()
a3 = ha1 + ":" + auth.nonce + ":" + ha2
response = md5(a3.encode('utf-8')).hexdigest()
- return response == auth.response
+ return safe_str_cmp(response, auth.response)
class HTTPTokenAuth(HTTPAuth):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/setup.cfg new/Flask-HTTPAuth-3.3.0/setup.cfg
--- old/Flask-HTTPAuth-3.2.4/setup.cfg 2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/setup.cfg 2019-05-19 12:24:55.000000000 +0200
@@ -1,5 +1,4 @@
[egg_info]
tag_build =
tag_date = 0
-tag_svn_revision = 0