[issue33604] HMAC default to MD5 marked as to be removed in 3.6

Raymond Hettinger report at bugs.python.org
Tue Oct 15 11:20:04 EDT 2019 

Raymond Hettinger <raymond.hettinger at gmail.com> added the comment:

The docs still make it look like *digestmod* is an optional argument: 
   https://docs.python.org/3/library/hmac.html#hmac.new

The help output does as well:

    >>> help(hmac.new)
    Help on function new in module hmac:

    new(key, msg=None, digestmod=None)
        Create a new hashing object and return it.
        
        key: The starting key for the hash.
        msg: if available, will immediately be hashed into the object's starting
        state.
        
        You can now feed arbitrary strings into the object using its update()
        method, and can ask for the hash value at any time by calling its digest()
        method.

Also, it is well outside the Python norms to have a required argument default to None and having that default value be invalid.

Presumably, the type annotation for this would be, "digestmod: Optional[str]=None".  That would further add to the confusion with a required Optional argument.

Another thought:  The usual exception for a missing argument is a TypeError, not a ValueError

Lastly, I'm curious why another algorithm wasn't used (perhaps sha256) as a default rather than removing the default altogether.  This doesn't seems like good API design.

FWIW, this removal broke the third-party package, Bottle:

    Bottle v0.12.17 server starting up (using WSGIRefServer())...
    Listening on http://localhost:8081/
    Hit Ctrl-C to quit.

    127.0.0.1 - - [15/Oct/2019 07:53:10] "GET / HTTP/1.1" 200 1471
    Traceback (most recent call last):
      File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/bottle.py", line 862, in _handle
        return route.call(**args)
      File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/bottle.py", line 1742, in wrapper
        rv = callback(*a, **ka)
      File "webapp.py", line 32, in check_credentials
        response.set_cookie('token', token, max_age=3600, secret=secret)
      File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/bottle.py", line 1626, in set_cookie
        value = touni(cookie_encode((name, value), secret))
      File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/bottle.py", line 2600, in cookie_encode
        sig = base64.b64encode(hmac.new(tob(key), msg).digest())
      File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/hmac.py", line 146, in new
        return HMAC(key, msg, digestmod)
      File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/hmac.py", line 49, in __init__
        raise ValueError('`digestmod` is required.')
    ValueError: `digestmod` is required.

----------
nosy: +rhettinger
status: closed -> open

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue33604>
_______________________________________

More information about the Python-bugs-list mailing list