_@sdZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl m Z dd l mZdd l mZdd l mZd Zd Ze djZeeddZeZeddejjejjgDZeddddZeddddZddZddZ ddZ!ddZ"ddd d!Z#d"d#Z$d$d%Z%dS)&z werkzeug.security ~~~~~~~~~~~~~~~~~ Security related helpers such as secure password hashing tools. :copyright: 2007 Pallets :license: BSD-3-Clause N) SystemRandom)Struct)izip)PY2) range_type) text_type)to_bytes) to_nativeZ>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789iIz>Icompare_digestccs!|]}|dkr|VqdS)N/)Nr ).0sepr r 5/tmp/pip-build-5gj8f0j9/Werkzeug/werkzeug/security.py !srcCs.t|||||}ttj|dS)a)Like :func:`pbkdf2_bin`, but returns a hex-encoded string. .. versionadded:: 0.9 :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided, the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function, or a function from the hashlib module. Defaults to sha256. hex_codec) pbkdf2_binr codecsencode)datasalt iterationskeylenhashfuncrvr r r pbkdf2_hex%srcCsm|s d}t|}t|}t|rN|}t|dd}n|}tj|||||S)aReturns a binary digest for the PBKDF2 hash algorithm of `data` with the given `salt`. It iterates `iterations` times and produces a key of `keylen` bytes. By default, SHA-256 is used as hash function; a different hashlib `hashfunc` can be provided. .. versionadded:: 0.9 :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function or a function from the hashlib module. Defaults to sha256. sha256nameN)r callablegetattrhashlib pbkdf2_hmac)rrrrrZ _test_hash hash_namer r rr9s    rcCst|tr|jd}t|tr<|jd}tdk rUt||St|t|krqdSd}trxht||D]&\}}|t|t|AO}qWn.x+t||D]\}}|||AO}qW|dkS)zThis function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance. Returns `True` if the two strings are equal, or `False` if they are not. .. versionadded:: 0.7 zutf-8NFr) isinstancerr_builtin_safe_str_cmplenrrord)abrxyr r r safe_str_cmpZs  !r,cCs8|dkrtddjddt|DS)zAGenerate a random string of SALT_CHARS with specified ``length``.rzSalt length must be positivecss|]}tjtVqdS)N)_sys_rngchoice SALT_CHARS)r_r r rr|szgen_salt..) ValueErrorjoinr)lengthr r rgen_saltxs  r5c Csj|dkr||fSt|tr4|jd}|jdr|ddjd}t|dkrztd |jd }|rt|d pd pt }d }d ||f}n d }|}|r|stdt |||d|}n]|rHt|tr'|jd}t |||}|j }nt j||j }||fS)zInternal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used. plainzutf-8zpbkdf2:N:rz&Invalid number of arguments for PBKDF2rTz pbkdf2:%s:%dFzSalt is required for PBKDF2r)rr9)r$rr startswithsplitr&r2popintDEFAULT_PBKDF2_ITERATIONSr _create_mac hexdigestr!new) methodrpasswordargsrZ is_pbkdf2 actual_methodrmacr r r_hash_internals2   " rGcsPtrtj||Sdfdd}||_tj|||S)Ncstj|S)N)r!rA)d)rBr rrsz_create_mac..hashfunc)rhmacHMAC__call__)keymsgrBrr )rBrr?s   r?z pbkdf2:sha256cCsG|dkrt|nd}t|||\}}d|||fS)aHash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that :func:`check_password_hash` can check the hash. The format for the hashed string looks like this:: method$salt$hash This method can **not** generate unsalted passwords but it is possible to set param method='plain' in order to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password. If PBKDF2 is wanted it can be enabled by setting the method to ``pbkdf2:method:iterations`` where iterations is optional:: pbkdf2:sha256:80000$salt$hash pbkdf2:sha256$salt$hash :param password: the password to hash. :param method: the hash method to use (one that hashlib supports). Can optionally be in the format ``pbkdf2:[:iterations]`` to enable PBKDF2. :param salt_length: the length of the salt in letters. r6r-z%s$%s$%s)r5rG)rCrBZ salt_lengthrhrEr r rgenerate_password_hashsrQcCsQ|jddkrdS|jdd\}}}tt|||d|S)acheck a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted). Returns `True` if the password matched, `False` otherwise. :param pwhash: a hashed string like returned by :func:`generate_password_hash`. :param password: the plaintext password to compare against the hash. $r9Fr)countr;r,rG)ZpwhashrCrBrZhashvalr r rcheck_password_hashs rTcs|g}x|D]~dkr1tjtfddtDs}tjjs}dks}jdrdS|jqWtj |S)a2Safely join zero or more untrusted path components to a base directory to avoid escaping the base directory. :param directory: The trusted base directory. :param pathnames: The untrusted path components relative to the base directory. :return: A safe path, otherwise ``None``. r-c3s|]}|kVqdS)Nr )rr)filenamer rrszsafe_join..z..z../N) posixpathnormpathany _os_alt_sepsospathisabsr:appendr3) directoryZ pathnamespartsr )rUr safe_joins    r`)&__doc__rr!rJrZrVrandomrstructr_compatrrrrr r r0r>packZ _pack_intr r%r.listr[raltseprYrrr,r5rGr?rQrTr`r r r r s:      (   %