From db461112c70d5f2bf93c7a6ac27eeb665c232dd0 Mon Sep 17 00:00:00 2001 From: David Lord Date: Sun, 7 Apr 2024 11:30:30 -0700 Subject: [PATCH] access sha1 lazily --- CHANGES.rst | 4 ++++ src/flask/sessions.py | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index 3c04b2f4a2..0908a02d24 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -3,6 +3,10 @@ Version 3.0.3 Unreleased +- The default ``hashlib.sha1`` may not be available in FIPS builds. Don't + access it at import time so the developer has time to change the default. + :issue:`5448` + Version 3.0.2 ------------- diff --git a/src/flask/sessions.py b/src/flask/sessions.py index bb753eb814..ee19ad6387 100644 --- a/src/flask/sessions.py +++ b/src/flask/sessions.py @@ -277,6 +277,14 @@ def save_session( session_json_serializer = TaggedJSONSerializer() +def _lazy_sha1(string: bytes = b"") -> t.Any: + """Don't access ``hashlib.sha1`` until runtime. FIPS builds may not include + SHA-1, in which case the import and use as a default would fail before the + developer can configure something else. + """ + return hashlib.sha1(string) + + class SecureCookieSessionInterface(SessionInterface): """The default session interface that stores sessions in signed cookies through the :mod:`itsdangerous` module. @@ -286,7 +294,7 @@ class SecureCookieSessionInterface(SessionInterface): #: signing of cookie based sessions. salt = "cookie-session" #: the hash function to use for the signature. The default is sha1 - digest_method = staticmethod(hashlib.sha1) + digest_method = staticmethod(_lazy_sha1) #: the name of the itsdangerous supported key derivation. The default #: is hmac. key_derivation = "hmac"