kallithea Changeset - 11ab74b7701b

Changeset - 11ab74b7701b

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Mads Kiilerich (mads) - 6 years ago 2020-08-18 22:36:45
mads@kiilerich.com

Grafted from: 72727aefb249

pytest: use hmac.new instead of hmac.HMAC

According to documentation, hmac.new is the way to create a HMAC object ... and
the first argument is mandaatory and we don't want to name it.

This has no functional change but will address a pytype warning:

File "kallithea/model/user.py", line 304, in get_reset_password_token: Invalid keyword arguments (digestmod, key, msg) to function HMAC.__init__ [wrong-keyword-args]

1 file changed with 2 insertions and 2 deletions:

kallithea/model/user.py

0 comments (0 inline, 0 general)

kallithea/model/user.py

➞

Show inline comments

@@ @@ -280,50 +280,50 @@ class UserModel(object): @@
         sufficiently similar to use an HMAC. Benefits compared to a plain
         SHA1 hash includes resistance against a length extension attack.
         The HMAC key consists of the following values (known only to the
         server and authorized users):
         * per-application secret (the `app_instance_uuid` setting), without
           which an attacker cannot counterfeit tokens
         * hashed user password, invalidating the token upon password change
         The HMAC message consists of the following values (potentially known
         to an attacker):
         * session ID (the anti-CSRF token), requiring an attacker to have
           access to the browser session in which the token was created
         * numeric user ID, limiting the token to a specific user (yet allowing
           users to be renamed)
         * user email address
         * time of token issue (a Unix timestamp, to enable token expiration)
         The key and message values are separated by NUL characters, which are
         guaranteed not to occur in any of the values.
         """
         app_secret = config.get('app_instance_uuid')
         return hmac.HMAC(
             key='\0'.join([app_secret, user.password]).encode('utf-8'),
         return hmac.new(
             '\0'.join([app_secret, user.password]).encode('utf-8'),
             msg='\0'.join([session_id, str(user.user_id), user.email, str(timestamp)]).encode('utf-8'),
             digestmod=hashlib.sha1,
         ).hexdigest()
     def send_reset_password_email(self, data):
         """
         Sends email with a password reset token and link to the password
         reset confirmation page with all information (including the token)
         pre-filled. Also returns URL of that page, only without the token,
         allowing users to copy-paste or manually enter the token from the
         email.
         """
         import kallithea.lib.helpers as h
         from kallithea.lib.celerylib import tasks
         from kallithea.model.notification import EmailNotificationModel
         user_email = data['email']
         user = User.get_by_email(user_email)
         timestamp = int(time.time())
         if user is not None:
             if self.can_change_password(user):
                 log.debug('password reset user %s found', user)
                 token = self.get_reset_password_token(user,
                                                       timestamp,

0 comments (0 inline, 0 general)