Message 163371 - Python tracker

Message163371

Author	pitrou
Recipients	Jon.Oberheide, alex, christian.heimes, fijall, georg.brandl, hynek, loewis, ncoghlan, petri.lehtinen, pitrou, python-dev, serhiy.storchaka
Date	2012-06-21.21:45:29
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1340314923.3400.0.camel@localhost.localdomain>
In-reply-to	<1340312157.2703.17.camel@raxxla>

Content
> > > - I only handle exact byte or unicode types (no subclasses) since a > > > user may have overwritten __eq__ and I don't want to special case it. > > We could handle all bytes-compatible objects, using the buffer API. > > It is timing unsafe. How so? > > > - The unicode path works only with compact ASCII strings. I'm not > > > familiar with the new API so please scream if I did it wrong. > > It looks ok to me. > > The user can just do timingsafe_eq(a.decode('ascii'), > b.decode('ascii')). I don't think that's the right answer, because people will instead e.g. encode('utf-8'), and suddently the encodingly will not be timing-safe.

Content

> > > - I only handle exact byte or unicode types (no subclasses) since a
> > > user may have overwritten __eq__ and I don't want to special case it.
> > We could handle all bytes-compatible objects, using the buffer API.
> 
> It is timing unsafe.

How so?

> > > - The unicode path works only with compact ASCII strings. I'm not
> > > familiar with the new API so please scream if I did it wrong.
> > It looks ok to me.
> 
> The user can just do timingsafe_eq(a.decode('ascii'),
> b.decode('ascii')).

I don't think that's the right answer, because people will instead e.g.
encode('utf-8'), and suddently the encodingly will not be timing-safe.

History
Date	User	Action	Args
2012-06-21 21:45:31	pitrou	set	recipients: + pitrou, loewis, georg.brandl, ncoghlan, christian.heimes, alex, fijall, python-dev, petri.lehtinen, hynek, serhiy.storchaka, Jon.Oberheide
2012-06-21 21:45:30	pitrou	link	issue15061 messages
2012-06-21 21:45:29	pitrou	create