commit python-Flask-HTTPAuth for openSUSE:Factory

1 Jun 2019

Hello community,

here is the log from the commit of package python-Flask-HTTPAuth for openSUSE:Factory checked in at 2019-06-01 09:47:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/python-Flask-HTTPAuth (Old)
 and      /work/SRC/openSUSE:Factory/.python-Flask-HTTPAuth.new.5148 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "python-Flask-HTTPAuth"

Sat Jun  1 09:47:01 2019 rev:2 rq:705806 version:3.3.0

Changes:
--------

--- /work/SRC/openSUSE:Factory/python-Flask-HTTPAuth/python-Flask-HTTPAuth.changes	2018-10-31 13:21:11.799071040 +0100
+++ /work/SRC/openSUSE:Factory/.python-Flask-HTTPAuth.new.5148/python-Flask-HTTPAuth.changes	2019-06-01 09:47:03.631374252 +0200
@@ -1,0 +2,8 @@
+Tue May 28 07:33:27 UTC 2019 - Tomáš Chvátal 
+
+- Update to 3.3.0:
+  * Use constant time string comparisons #82 (commit1, commit2) (thanks Brendan Long!)
+  * Edited and changed the usage of JWT, because in fact the code and documentation uses JWS tokens. #79 (commit) (thanks unuseless!)
+  * Documentation improvements #77 (commit)
+
+-------------------------------------------------------------------

Old:
----
  Flask-HTTPAuth-3.2.4.tar.gz

New:
----
  Flask-HTTPAuth-3.3.0.tar.gz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ python-Flask-HTTPAuth.spec ++++++
--- /var/tmp/diff_new_pack.Wx16wU/_old	2019-06-01 09:47:05.075373759 +0200
+++ /var/tmp/diff_new_pack.Wx16wU/_new	2019-06-01 09:47:05.075373759 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package python-Flask-HTTPAuth
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 # Copyright (c) 2017 Dr. Axel Braun
 #
 # All modifications and additions to the file contributed by third parties
@@ -20,7 +20,7 @@
 %{?!python_module:%define python_module() python-%{**} python3-%{**}}
 %define modname Flask-HTTPAuth
 Name:           python-%{modname}
-Version:        3.2.4
+Version:        3.3.0
 Release:        0
 Summary:        Basic and Digest HTTP authentication for Flask routes
 License:        MIT

++++++ Flask-HTTPAuth-3.2.4.tar.gz -> Flask-HTTPAuth-3.3.0.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/Flask_HTTPAuth.egg-info/PKG-INFO new/Flask-HTTPAuth-3.3.0/Flask_HTTPAuth.egg-info/PKG-INFO
--- old/Flask-HTTPAuth-3.2.4/Flask_HTTPAuth.egg-info/PKG-INFO	2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/Flask_HTTPAuth.egg-info/PKG-INFO	2019-05-19 12:24:54.000000000 +0200
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: Flask-HTTPAuth
-Version: 3.2.4
+Version: 3.3.0
 Summary: Basic and Digest HTTP authentication for Flask routes
 Home-page: http://github.com/miguelgrinberg/flask-httpauth/
 Author: Miguel Grinberg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/PKG-INFO new/Flask-HTTPAuth-3.3.0/PKG-INFO
--- old/Flask-HTTPAuth-3.2.4/PKG-INFO	2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/PKG-INFO	2019-05-19 12:24:55.000000000 +0200
@@ -1,6 +1,6 @@
 Metadata-Version: 1.1
 Name: Flask-HTTPAuth
-Version: 3.2.4
+Version: 3.3.0
 Summary: Basic and Digest HTTP authentication for Flask routes
 Home-page: http://github.com/miguelgrinberg/flask-httpauth/
 Author: Miguel Grinberg
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/docs/index.rst new/Flask-HTTPAuth-3.3.0/docs/index.rst
--- old/Flask-HTTPAuth-3.2.4/docs/index.rst	2018-06-15 08:18:36.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/docs/index.rst	2019-05-19 11:33:53.000000000 +0200
@@ -44,7 +44,7 @@
 
     @auth.hash_password
     def hash_pw(password):
-        return md5(password).hexdigest()
+        return md5(password.encode('utf-8')).hexdigest()
 
 When the ``hash_password`` callback is provided access will be granted when ``get_password(username) == hash_password(password)``.
 
@@ -162,12 +162,17 @@
 
 The ``verify_token`` callback receives the authentication credentials provided by the client on the ``Authorization`` header. This can be a simple token, or can contain multiple arguments, which the function will have to parse and extract from the string.
 
-In the examples directory you can find a complete example that uses JWT tokens.
+In the examples directory you can find a complete example that uses
+JWS tokens.  JWS tokens are similar to JWT tokens.  However using JWT
+tokens would require an external dependency to handle JWT.
 
 Using Multiple Authentication Schemes
 -------------------------------------
 
-Applications sometimes need to support a combination of authentication methods. For example, a web application could be authenticated by sending client id and secret over basic authentication, while third party API clients use a JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate.
+Applications sometimes need to support a combination of authentication
+methods. For example, a web application could be authenticated by
+sending client id and secret over basic authentication, while third
+party API clients use a JWS or JWT bearer token. The `MultiAuth` class allows you to protect a route with more than one authentication object. To grant access to the endpoint, one of the authentication methods must validate.
 
 In the examples directory you can find a complete example that uses basic and token authentication.
 
@@ -327,11 +332,11 @@
 
   This class handles HTTP authentication with custom schemes for Flask routes.
 
-  .. method:: __init__(scheme, realm=None)
+  .. method:: __init__(scheme='Bearer', realm=None)
 
     Create a token authentication object.
 
-    The ``scheme`` argument must be provided to be used in the ``WWW-Authenticate`` response.
+    The ``scheme`` argument can be use to specify the scheme to be used in the ``WWW-Authenticate`` response.
 
     The ``realm`` argument can be used to provide an application defined realm with the ``WWW-Authenticate`` header.
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/flask_httpauth.py new/Flask-HTTPAuth-3.3.0/flask_httpauth.py
--- old/Flask-HTTPAuth-3.2.4/flask_httpauth.py	2018-06-18 00:27:44.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/flask_httpauth.py	2019-05-19 12:24:47.000000000 +0200
@@ -13,8 +13,9 @@
 from random import Random, SystemRandom
 from flask import request, make_response, session
 from werkzeug.datastructures import Authorization
+from werkzeug.security import safe_str_cmp
 
-__version__ = '3.2.4'
+__version__ = '3.3.0'
 
 
 class HTTPAuth(object):
@@ -143,7 +144,8 @@
                 client_password = self.hash_password_callback(username,
                                                               client_password)
         return client_password is not None and \
-            client_password == stored_password
+            stored_password is not None and \
+            safe_str_cmp(client_password, stored_password)
 
 
 class HTTPDigestAuth(HTTPAuth):
@@ -169,14 +171,20 @@
             return session["auth_nonce"]
 
         def default_verify_nonce(nonce):
-            return nonce == session.get("auth_nonce")
+            session_nonce = session.get("auth_nonce")
+            if nonce is None or session_nonce is None:
+                return False
+            return safe_str_cmp(nonce, session_nonce)
 
         def default_generate_opaque():
             session["auth_opaque"] = _generate_random()
             return session["auth_opaque"]
 
         def default_verify_opaque(opaque):
-            return opaque == session.get("auth_opaque")
+            session_opaque = session.get("auth_opaque")
+            if opaque is None or session_opaque is None:
+                return False
+            return safe_str_cmp(opaque, session_opaque)
 
         self.generate_nonce(default_generate_nonce)
         self.generate_opaque(default_generate_opaque)
@@ -235,7 +243,7 @@
         ha2 = md5(a2.encode('utf-8')).hexdigest()
         a3 = ha1 + ":" + auth.nonce + ":" + ha2
         response = md5(a3.encode('utf-8')).hexdigest()
-        return response == auth.response
+        return safe_str_cmp(response, auth.response)
 
 
 class HTTPTokenAuth(HTTPAuth):
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Flask-HTTPAuth-3.2.4/setup.cfg new/Flask-HTTPAuth-3.3.0/setup.cfg
--- old/Flask-HTTPAuth-3.2.4/setup.cfg	2018-06-18 00:28:40.000000000 +0200
+++ new/Flask-HTTPAuth-3.3.0/setup.cfg	2019-05-19 12:24:55.000000000 +0200
@@ -1,5 +1,4 @@
 [egg_info]
 tag_build = 
 tag_date = 0
-tag_svn_revision = 0

    

commit python-Flask-HTTPAuth for openSUSE:Factory

root