Merge pull request #1574 from dstufft/patch-1

Prevent timing attacks when checking CSRF token
author: Michael Merickel <michael@merickel.org> 2015-02-10 12:57:15 -0600
committer: Michael Merickel <michael@merickel.org> 2015-02-10 12:57:15 -0600
commit: 6a9d195c7d42ff3d497b9c09903fb5a987337e3b (patch)
tree: 977c64df2f3dd9e085c65123330f289168639af0
parent: 4517ec56047d5f33e0b190b69be2be1029612c05 (diff)
parent: 9756f6111b06de79306d3769edd83f6735275701 (diff)
download: pyramid-6a9d195c7d42ff3d497b9c09903fb5a987337e3b.tar.gz
pyramid-6a9d195c7d42ff3d497b9c09903fb5a987337e3b.tar.bz2
pyramid-6a9d195c7d42ff3d497b9c09903fb5a987337e3b.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/pyramid/session.py b/pyramid/session.py
index a95c3f258..c4cfc1949 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -125,8 +125,8 @@ def check_csrf_token(request,
 
     .. versionadded:: 1.4a2
     """
-    supplied_token = request.params.get(token, request.headers.get(header))
-    if supplied_token != request.session.get_csrf_token():
+    supplied_token = request.params.get(token, request.headers.get(header, ""))
+    if strings_differ(request.session.get_csrf_token(), supplied_token):
         if raises:
             raise BadCSRFToken('check_csrf_token(): Invalid token')
         return False
author	Michael Merickel <michael@merickel.org>	2015-02-10 12:57:15 -0600
committer	Michael Merickel <michael@merickel.org>	2015-02-10 12:57:15 -0600
commit	6a9d195c7d42ff3d497b9c09903fb5a987337e3b (patch)
tree	977c64df2f3dd9e085c65123330f289168639af0
parent	4517ec56047d5f33e0b190b69be2be1029612c05 (diff)
parent	9756f6111b06de79306d3769edd83f6735275701 (diff)
download	pyramid-6a9d195c7d42ff3d497b9c09903fb5a987337e3b.tar.gz pyramid-6a9d195c7d42ff3d497b9c09903fb5a987337e3b.tar.bz2 pyramid-6a9d195c7d42ff3d497b9c09903fb5a987337e3b.zip