U Ha @sUddlZddlZddlZddlZddlZddlZddlZejr@dZ dZ e ddej j ej jfDZejeed<e ddfejeefejeefeejeejejeejfeddd Ze ddfejeefejeefeejeejejeejfedd d Zeeed d dZeedddZeeeejeefdddZd eeeedddZeeedddZ eeejedddZ!dS)!NZ>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789iccs"|]}|dk r|dkr|VqdS)N/.0seprr5/tmp/pip-unpacked-wheel-ub1y1qyw/werkzeug/security.py sr _os_alt_seps)datasalt iterationskeylenhashfuncreturncCs$tjdtddt|||||S)aLike :func:`pbkdf2_bin`, but returns a hex-encoded string. :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided, the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function, or a function from the hashlib module. Defaults to sha256. .. deprecated:: 2.0 Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac` instead. .. versionadded:: 0.9 zj'pbkdf2_hex' is deprecated and will be removed in Werkzeug 2.1. Use 'hashlib.pbkdf2_hmac().hex()' instead. stacklevel)warningswarnDeprecationWarning pbkdf2_binhex)r r r r rrrr pbkdf2_hexs rcCsjtjdtddt|tr$|d}t|tr8|d}|sBd}nt|rT|j}n|}t |||||S)aeReturns a binary digest for the PBKDF2 hash algorithm of `data` with the given `salt`. It iterates `iterations` times and produces a key of `keylen` bytes. By default, SHA-256 is used as hash function; a different hashlib `hashfunc` can be provided. :param data: the data to derive. :param salt: the salt for the derivation. :param iterations: the number of iterations. :param keylen: the length of the resulting key. If not provided the digest size will be used. :param hashfunc: the hash function to use. This can either be the string name of a known hash function or a function from the hashlib module. Defaults to sha256. .. deprecated:: 2.0 Will be removed in Werkzeug 2.1. Use :func:`hashlib.pbkdf2_hmac` instead. .. versionadded:: 0.9 zd'pbkdf2_bin' is deprecated and will be removed in Werkzeug 2.1. Use 'hashlib.pbkdf2_hmac()' instead.rrutf8sha256) rrr isinstancestrencodecallablenamehashlib pbkdf2_hmac)r r r r r hash_namerrrr5s     r)abrcCsDtjdtddt|tr$|d}t|tr8|d}t||S)aiThis function compares strings in somewhat constant time. This requires that the length of at least one string is known in advance. Returns `True` if the two strings are equal, or `False` if they are not. .. deprecated:: 2.0 Will be removed in Werkzeug 2.1. Use :func:`hmac.compare_digest` instead. .. versionadded:: 0.7 zd'safe_str_cmp' is deprecated and will be removed in Werkzeug 2.1. Use 'hmac.compare_digest' instead.rrutf-8)rrrrrrhmaccompare_digest)r#r$rrr safe_str_cmpgs     r()lengthrcCs(|dkrtddddt|DS)zAGenerate a random string of SALT_CHARS with specified ``length``.rzSalt length must be positivecss|]}ttVqdSN)secretschoice SALT_CHARS)r_rrrrszgen_salt..) ValueErrorjoinrange)r)rrrgen_saltsr3)methodr passwordrcCs|dkr||fS|d}|d}|dr|s:td|ddd}t|dkr`td |d }|r~t|d pzd nt}t |||| d|d|fS|rt ||| |fSt || |fS) zInternal password hash helper. Supports plaintext without salt, unsalted and salted passwords. In case salted passwords are used hmac is used. plainr%zpbkdf2:zSalt is required for PBKDF2N:)rz&Invalid number of arguments for PBKDF2r)r startswithr0splitlenpopintDEFAULT_PBKDF2_ITERATIONSr r!rr&new hexdigest)r4r r5argsr rrr_hash_internals$     rC pbkdf2:sha256)r5r4 salt_lengthrcCs8|dkrt|nd}t|||\}}|d|d|S)aHash a password with the given method and salt with a string of the given length. The format of the string returned includes the method that was used so that :func:`check_password_hash` can check the hash. The format for the hashed string looks like this:: method$salt$hash This method can **not** generate unsalted passwords but it is possible to set param method='plain' in order to enforce plaintext passwords. If a salt is used, hmac is used internally to salt the password. If PBKDF2 is wanted it can be enabled by setting the method to ``pbkdf2:method:iterations`` where iterations is optional:: pbkdf2:sha256:80000$salt$hash pbkdf2:sha256$salt$hash :param password: the password to hash. :param method: the hash method to use (one that hashlib supports). Can optionally be in the format ``pbkdf2:method:iterations`` to enable PBKDF2. :param salt_length: the length of the salt in letters. r6r*$)r3rC)r5r4rFr hZ actual_methodrrrgenerate_password_hashsrI)pwhashr5rcCs<|ddkrdS|dd\}}}tt|||d|S)aCheck a password against a given salted and hashed password value. In order to support unsalted legacy passwords this method supports plain text passwords, md5 and sha1 hashes (both salted and unsalted). Returns `True` if the password matched, `False` otherwise. :param pwhash: a hashed string like returned by :func:`generate_password_hash`. :param password: the plaintext password to compare against the hash. rGrFr)countr;r&r'rC)rJr5r4r Zhashvalrrrcheck_password_hashs rL) directory pathnamesrcsp|g}|D]Zdkr ttfddtDsTtjsTdksTdrZdS|q tj |S)a2Safely join zero or more untrusted path components to a base directory to avoid escaping the base directory. :param directory: The trusted base directory. :param pathnames: The untrusted path components relative to the base directory. :return: A safe path, otherwise ``None``. r*c3s|]}|kVqdSr+rrfilenamerrrszsafe_join..z..z../N) posixpathnormpathanyr ospathisabsr:appendr1)rMrNpartsrrOr safe_joins    rY)rDrE)"r r&rTrQr,typingtr TYPE_CHECKINGr.r?listrUraltsepr Listr__annotations__Unionbytesr>OptionalCallablerrboolr(r3TuplerCrIrLrYrrrrs`   $   2"