ó ~9Vc@s™dZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddlmZmZmZmZmZmZmZdZd Zed ƒjZeed dƒZe ƒZed „ejj ejj!gDƒƒZ"d „Z#e#ƒZ$eddd„Z%e&edƒZ'eddd„Z(d„Z)d„Z*d„Z+ddd„Z,d„Z-d„Z.dS(sñ werkzeug.security ~~~~~~~~~~~~~~~~~ Security related helpers such as secure password hashing tools. :copyright: (c) 2014 by the Werkzeug Team, see AUTHORS for more details. :license: BSD, see LICENSE for more details. iÿÿÿÿN(tStruct(t SystemRandom(txor(tstarmap(t range_typetPY2t text_typetiziptto_bytest string_typest to_nativet>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789iès>Itcompare_digestccs!|]}|dkr|VqdS(t/N(NR (tNone(t.0tsep((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pys scCsmttddƒ}|dkr'd}ni}x9|D]1}tt|dƒ}|dk r4|||s(t ValueErrortjoinR(tlength((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pytgen_salt™s c Cs¥|dkr||fSt|tƒr7|jdƒ}n|jdƒrÄ|djdƒ}t|ƒdkrztdƒ‚n|jd ƒ}|r¥t|d pŸd ƒp¨t }t }d ||f}n t }|}t j |ƒ}|dkrþtd |ƒ‚n|r4|std ƒ‚nt|||d |ƒ}ng|ryt|tƒr[|jdƒ}ntj|||ƒjƒ}n"|ƒ} | j|ƒ| jƒ}||fS(sInternal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used. tplainsutf-8spbkdf2:it:iis&Invalid number of arguments for PBKDF2is pbkdf2:%s:%dsinvalid method %rsSalt is required for PBKDF2R'(iiN(R3RR"t startswithtsplitRCROtpoptinttDEFAULT_PBKDF2_ITERATIONStTrueRDR4tgetRt TypeErrorR(R7R8t hexdigestR,( tmethodR$tpasswordtargsR%t is_pbkdf2t actual_methodt hash_funcRR1((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pyt_hash_internal s<  "     s pbkdf2:sha1icCsG|dkrt|ƒpd}t|||ƒ\}}d|||fS(sðHash a password with the given method and salt with with a string of the given length. The format of the string returned includes the method that was used so that :func:`check_password_hash` can check the hash. The format for the hashed string looks like this:: method$salt$hash This method can **not** generate unsalted passwords but it is possible to set the method to plain to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password. If PBKDF2 is wanted it can be enabled by setting the method to ``pbkdf2:method:iterations`` where iterations is optional:: pbkdf2:sha1:2000$salt$hash pbkdf2:sha1$salt$hash :param password: the password to hash. :param method: the hash method to use (one that hashlib supports). Can optionally be in the format ``pbkdf2:[:iterations]`` to enable PBKDF2. :param salt_length: the length of the salt in letters. RSRJs%s$%s$%s(RRRd(R_R^t salt_lengthR$R1Rb((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pytgenerate_password_hashËscCsQ|jdƒdkrtS|jddƒ\}}}tt|||ƒd|ƒS(sÉcheck a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted). Returns `True` if the password matched, `False` otherwise. :param pwhash: a hashed string like returned by :func:`generate_password_hash`. :param password: the plaintext password to compare against the hash. t$ii(tcountRDRVRIRd(tpwhashR_R^R$thashval((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pytcheck_password_hashés cCshtj|ƒ}xtD]}||krdSqWtjj|ƒsQ|jdƒrUdStjj||ƒS(sÜSafely join `directory` and `filename`. If this cannot be done, this function returns ``None``. :param directory: the base directory. :param filename: the untrusted filename relative to that directory. s../N( t posixpathtnormpatht _os_alt_sepsRtostpathtisabsRURP(t directorytfilenameR((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pyt safe_joinús  !(/t__doc__RoR7RRlR!tstructRtrandomRtoperatorRt itertoolsRtwerkzeug._compatRRRRRR R RMRYtpackR:RRRBRKtlistRpRtaltsepRnRR4R(R6R5R RIRRRdRfRkRt(((s3/tmp/pip-build-zHWFj_/Werkzeug/werkzeug/security.pyt s:     4 ( 3   +