From f6b0ae2a32d6bcd40246ef1ec3abb16ce65324dc Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Fri, 23 Nov 2018 15:55:00 -0600
Subject: always use compare_digest

---
 src/pyramid/util.py |  8 ++------
 tests/test_util.py  | 32 +++-----------------------------
 2 files changed, 5 insertions(+), 35 deletions(-)

diff --git a/src/pyramid/util.py b/src/pyramid/util.py
index cad8142dd..e552b37de 100644
--- a/src/pyramid/util.py
+++ b/src/pyramid/util.py
@@ -301,7 +301,7 @@ class WeakOrderedSet(object):
             return self._items[oid]()
 
 
-def strings_differ(string1, string2, compare_digest=compare_digest):
+def strings_differ(string1, string2):
     """Check whether two strings differ while avoiding timing attacks.
 
     This function returns True if the given strings differ and False
@@ -325,11 +325,7 @@ def strings_differ(string1, string2, compare_digest=compare_digest):
         left = string2
     right = string2
 
-    if compare_digest is not None:
-        invalid_bits += not compare_digest(left, right)
-    else:
-        for a, b in zip(left, right):
-            invalid_bits += a != b
+    invalid_bits += not compare_digest(left, right)
     return invalid_bits != 0
 
 
diff --git a/tests/test_util.py b/tests/test_util.py
index 0f313955b..84bc9379f 100644
--- a/tests/test_util.py
+++ b/tests/test_util.py
@@ -436,37 +436,11 @@ class Test_strings_differ(unittest.TestCase):
         self.assertFalse(self._callFUT('123', '123'))
         self.assertTrue(self._callFUT('123', '1234'))
 
-    def test_it_with_internal_comparator(self):
-        result = self._callFUT(b'foo', b'foo', compare_digest=None)
-        self.assertFalse(result)
-
-        result = self._callFUT(b'123', b'abc', compare_digest=None)
-        self.assertTrue(result)
-
-    def test_it_with_external_comparator(self):
-        class DummyComparator(object):
-            called = False
-
-            def __init__(self, ret_val):
-                self.ret_val = ret_val
-
-            def __call__(self, a, b):
-                self.called = True
-                return self.ret_val
-
-        dummy_compare = DummyComparator(True)
-        result = self._callFUT(b'foo', b'foo', compare_digest=dummy_compare)
-        self.assertTrue(dummy_compare.called)
+    def test_it(self):
+        result = self._callFUT(b'foo', b'foo')
         self.assertFalse(result)
 
-        dummy_compare = DummyComparator(False)
-        result = self._callFUT(b'123', b'345', compare_digest=dummy_compare)
-        self.assertTrue(dummy_compare.called)
-        self.assertTrue(result)
-
-        dummy_compare = DummyComparator(False)
-        result = self._callFUT(b'abc', b'abc', compare_digest=dummy_compare)
-        self.assertTrue(dummy_compare.called)
+        result = self._callFUT(b'123', b'abc')
         self.assertTrue(result)
 
 
-- 
cgit v1.2.3