Description
The _get_md5() function in samcli/lib/utils/hash.py uses an incorrect version comparison that will break on future Python major versions.
Code location
samcli/lib/utils/hash.py, lines 15-19:
_MAJOR_PYTHON_VERSION = 3
_MINOR_PYTHON_VERSION = 9
def _get_md5():
if sys.version_info.major >= _MAJOR_PYTHON_VERSION and sys.version_info.minor >= _MINOR_PYTHON_VERSION:
return hashlib.md5(usedforsecurity=False)
else:
return hashlib.md5()Problem
The version check uses separate >= comparisons on major and minor, which is incorrect. For example, Python 4.0 would have major=4 >= 3 (True) but minor=0 >= 9 (False), so it would incorrectly fall through to the bare hashlib.md5() call even though Python 4.0 would certainly support usedforsecurity.
Fix
Replace the separate comparisons with a tuple comparison:
def _get_md5():
if sys.version_info >= (_MAJOR_PYTHON_VERSION, _MINOR_PYTHON_VERSION):
return hashlib.md5(usedforsecurity=False)
else:
return hashlib.md5()Python's sys.version_info is a named tuple and supports direct tuple comparison, which handles version ordering correctly: (4, 0) >= (3, 9) is True.
Description
The
_get_md5()function insamcli/lib/utils/hash.pyuses an incorrect version comparison that will break on future Python major versions.Code location
samcli/lib/utils/hash.py, lines 15-19:Problem
The version check uses separate
>=comparisons on major and minor, which is incorrect. For example, Python 4.0 would havemajor=4 >= 3(True) butminor=0 >= 9(False), so it would incorrectly fall through to the barehashlib.md5()call even though Python 4.0 would certainly supportusedforsecurity.Fix
Replace the separate comparisons with a tuple comparison:
Python's
sys.version_infois a named tuple and supports direct tuple comparison, which handles version ordering correctly:(4, 0) >= (3, 9)isTrue.