3 e @sUddlZddlZddlZddlZddlZddlZddlZejr@dZ dZ e ddej j ej jgDZejee ddfejeefejeefeejeejejeejfedddZe ddfejeefejeefeejeejejeejfedd d Zeeed d d ZeedddZeeeejeefdddZdeeeedddZeeedddZeeejedddZ dS) NZ>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789iccs"|]}|dk r|dkr|VqdS)N/).0seprr5/tmp/pip-build-3irwxpxt/Werkzeug/werkzeug/security.py sr)datasalt iterationskeylenhashfuncreturncCs$tjdtddt|||||jS)aLike :func:`pbkdf2_bin`, but returns a hex-encoded string. :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided, the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function, or a function from the hashlib module. Defaults to sha256. .. deprecated:: 2.0 Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac` instead. .. versionadded:: 0.9 zj'pbkdf2_hex' is deprecated and will be removed in Werkzeug 2.1. Use 'hashlib.pbkdf2_hmac().hex()' instead.) stacklevel)warningswarnDeprecationWarning pbkdf2_binhex)rr r r r rrr pbkdf2_hexs rcCsjtjdtddt|tr$|jd}t|tr8|jd}|sBd}nt|rT|j}n|}tj |||||S)aeReturns a binary digest for the PBKDF2 hash algorithm of `data` with the given `salt`. It iterates `iterations` times and produces a key of `keylen` bytes. By default, SHA-256 is used as hash function; a different hashlib `hashfunc` can be provided. :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function or a function from the hashlib module. Defaults to sha256. .. deprecated:: 2.0 Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac` instead. .. versionadded:: 0.9 zd'pbkdf2_bin' is deprecated and will be removed in Werkzeug 2.1. Use 'hashlib.pbkdf2_hmac()' instead.r)rutf8sha256) rrr isinstancestrencodecallablenamehashlib pbkdf2_hmac)rr r r r hash_namerrrr5s     r)abr cCsDtjdtddt|tr$|jd}t|tr8|jd}tj||S)aiThis function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance. Returns `True` if the two strings are equal, or `False` if they are not. .. deprecated:: 2.0 Will be removed in Werkzeug 2.1. Use :func:`hmac.compare_digest` instead. .. versionadded:: 0.7 zd'safe_str_cmp' is deprecated and will be removed in Werkzeug 2.1. Use 'hmac.compare_digest' instead.r)rzutf-8)rrrrrrhmaccompare_digest)r r!rrr safe_str_cmpgs     r$)lengthr cCs(|dkrtddjddt|DS)zAGenerate a random string of SALT_CHARS with specified ``length``.rzSalt length must be positivecss|]}tjtVqdS)N)secretschoice SALT_CHARS)r_rrrrszgen_salt..) ValueErrorjoinrange)r%rrrgen_saltsr.)methodr passwordr cCs|dkr||fS|jd}|jd}|jdr|s:td|ddjd}t|d kr`td |jd }|r~t|d pzd nt}tj ||||j d|d|fS|rt j |||j |fStj ||j |fS) zInternal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used. plainzutf-8zpbkdf2:zSalt is required for PBKDF2N:rz&Invalid number of arguments for PBKDF2r)r4r)r startswithr+splitlenpopintDEFAULT_PBKDF2_ITERATIONSrrrr"new hexdigest)r/r r0argsr rrr_hash_internals"     r> pbkdf2:sha256)r0r/ salt_lengthr cCs8|dkrt|nd}t|||\}}|d|d|S)aHash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that :func:`check_password_hash` can check the hash. The format for the hashed string looks like this:: method$salt$hash This method can **not** generate unsalted passwords but it is possible to set param method='plain' in order to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password. If PBKDF2 is wanted it can be enabled by setting the method to ``pbkdf2:method:iterations`` where iterations is optional:: pbkdf2:sha256:80000$salt$hash pbkdf2:sha256$salt$hash :param password: the password to hash. :param method: the hash method to use (one that hashlib supports). Can optionally be in the format ``pbkdf2:method:iterations`` to enable PBKDF2. :param salt_length: the length of the salt in letters. r1r&$)r.r>)r0r/rAr hZ actual_methodrrrgenerate_password_hashsrD)pwhashr0r cCs<|jddkrdS|jdd\}}}tjt|||d|S)aCheck a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted). Returns `True` if the password matched, `False` otherwise. :param pwhash: a hashed string like returned by :func:`generate_password_hash`. :param password: the plaintext password to compare against the hash. rBrFr)countr6r"r#r>)rEr0r/r Zhashvalrrrcheck_password_hashs rG) directory pathnamesr csr|g}x`|D]Xdkr"tjtfddtDsVtjjsVdksVjdrZdS|jq Wtj |S)a2Safely join zero or more untrusted path components to a base directory to avoid escaping the base directory. :param directory: The trusted base directory. :param pathnames: The untrusted path components relative to the base directory. :return: A safe path, otherwise ``None``. r&c3s|]}|kVqdS)Nr)rr)filenamerrrszsafe_join..z..z../N) posixpathnormpathany _os_alt_sepsospathisabsr5appendr,)rHrIpartsr)rJr safe_joins     rT)r?r@)!rr"rOrKr'typingtrZ TYPE_CHECKINGr)r:listrPraltseprNListrUnionbytesr9OptionalCallablerrboolr$r.Tupler>rDrGrTrrrrs6&::,"