wdfdZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl m Z dd l mZdd l mZdd l mZd Zd Ze djZeeddZeZedejjejjfDZeddfdZeddfdZdZdZ dZ!dZ"ddZ#dZ$dZ%dS)z werkzeug.security ~~~~~~~~~~~~~~~~~ Security related helpers such as secure password hashing tools. :copyright: 2007 Pallets :license: BSD-3-Clause N) SystemRandom)Struct)izip)PY2) range_type) text_type)to_bytes) to_native>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789iIz>Icompare_digestc#"K|] }|dv|V dS))N/N).0seps V/var/www/book.euthymeo.com/html/venv/lib/python3.11/site-packages/werkzeug/security.py r s5 C{4J4JC4J4J4J4Jclt|||||}ttj|dS)a)Like :func:`pbkdf2_bin`, but returns a hex-encoded string. .. versionadded:: 0.9 :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided, the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function, or a function from the hashlib module. Defaults to sha256. hex_codec) pbkdf2_binr codecsencode)datasalt iterationskeylenhashfuncrvs r pbkdf2_hexr!%s3 D$ FH = =B V]2{33 4 44rc|sd}t|}t|}t|r|}t|dd}n|}tj|||||S)aReturns a binary digest for the PBKDF2 hash algorithm of `data` with the given `salt`. It iterates `iterations` times and produces a key of `keylen` bytes. By default, SHA-256 is used as hash function; a different hashlib `hashfunc` can be provided. .. versionadded:: 0.9 :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function or a function from the hashlib module. Defaults to sha256. sha256nameN)r callablegetattrhashlib pbkdf2_hmac)rrrrr _test_hash hash_names rrr9ss&  D>>D D>>DXZZ J55   y$j& I IIrct|tr|d}t|tr|d}tt||St |t |krdSd}t r9t ||D]'\}}|t|t|z z}(nt ||D] \}}|||z z}|dkS)zThis function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance. Returns `True` if the two strings are equal, or `False` if they are not. .. versionadded:: 0.7 utf-8NFr) isinstancer r_builtin_safe_str_cmplenrrord)abr xys r safe_str_cmpr5Zs!Y HHW  !Y HHW  ($Q*** 1vvQu B AJJ " "DAq #a&&3q66/ !BB "AJJ  DAq !a%KBB 7Nrc|dkrtdddt|DS)zAGenerate a random string of SALT_CHARS with specified ``length``.rzSalt length must be positivec3TK|]#}ttV$dSN)_sys_rngchoice SALT_CHARS)r_s rrzgen_salt..|s.KK18??:..KKKKKKr) ValueErrorjoinr)lengths rgen_saltrAxsC {{7888 77KK 68J8JKKK K KKrc|dkr||fSt|tr|d}|dr||ddd}t |dvrt d|d }|rt|d pd pt}d }d ||fz}nd }|}|r%|st d t||||}ny|rPt|tr|d}t|||}| }n'tj|| }||fS)zInternal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used. plainr,zpbkdf2:N:)rz&Invalid number of arguments for PBKDF2rTz pbkdf2:%s:%dFzSalt is required for PBKDF2)r)r-r r startswithsplitr/r>popintDEFAULT_PBKDF2_ITERATIONSr! _create_mac hexdigestr'new) methodrpasswordargsr is_pbkdf2 actual_methodr macs r_hash_internalrUs (I&&,??7++ ## abbz$$ t99F " "EFF F!/c$q',Q//L3L  &&*)==    7 <:;; ; $ V D D D 7 dI & & (;;w''D$&11 ]]__ [ * * 4 4 6 6 } rctrtj||Sdfd }||_tj|||S)Nrc.tj|Sr9)r'rN)drOs rrz_create_mac..hashfuncs{61%%%r)r)r%hmacHMAC__call__)keymsgrOrs ` rrLrLsc+yc6***&&&&&& !H 9S#x ( ((r pbkdf2:sha256cl|dkrt|nd}t|||\}}|d|d|S)aHash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that :func:`check_password_hash` can check the hash. The format for the hashed string looks like this:: method$salt$hash This method can **not** generate unsalted passwords but it is possible to set param method='plain' in order to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password. If PBKDF2 is wanted it can be enabled by setting the method to ``pbkdf2:method:iterations`` where iterations is optional:: pbkdf2:sha256:80000$salt$hash pbkdf2:sha256$salt$hash :param password: the password to hash. :param method: the hash method to use (one that hashlib supports). Can optionally be in the format ``pbkdf2:[:iterations]`` to enable PBKDF2. :param salt_length: the length of the salt in letters. rCr7$)rArU)rPrO salt_lengthrhrSs rgenerate_password_hashrdsM2%+g$5$58K 2D%fdH==A}&aa 00rc|ddkrdS|dd\}}}tt|||d|S)acheck a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted). Returns `True` if the password matched, `False` otherwise. :param pwhash: a hashed string like returned by :func:`generate_password_hash`. :param password: the plaintext password to compare against the hash. rarFFr)countrHr5rU)pwhashrPrOrhashvals rcheck_password_hashris[||C1u"LLa00FD' vtX>>qA7 K KKrcH|g}|D]dkrtjtfdtDs:tjsdksdrdS|tj |S)a2Safely join zero or more untrusted path components to a base directory to avoid escaping the base directory. :param directory: The trusted base directory. :param pathnames: The untrusted path components relative to the base directory. :return: A safe path, otherwise ``None``. r7c3 K|]}|vV dSr9r)rrfilenames rrzsafe_join..s'88Cx888888rz..z../N) posixpathnormpathany _os_alt_sepsospathisabsrGappendr?) directory pathnamespartsrls @r safe_joinrxsKE   r>> )(33H 8888<888 8 8 w}}X&& 4""5)) 44 X >5 !!r)r^r_)&__doc__rr'rYrqrmrandomrstructr_compatrrrr r r r<rKpack _pack_intr&r.r:listrrraltseprpr!rr5rArUrLrdrirxrrrrs   M " F4LL  &6== <>>tGK0 5TD5555*5TDJJJJB<LLL"""J ) ) )1111<LLL""""""r