Prevent timing attacks when checking CSRF token

author: Donald Stufft <donald@stufft.io> 2015-02-10 13:36:25 -0500
committer: Donald Stufft <donald@stufft.io> 2015-02-10 13:36:25 -0500
commit: b809c72a6fc6d286373dea1fcfe6f674efea24a5 (patch)
tree: 27b571eb4621f4211b4cf7777cb36ebdd9550910
parent: 4517ec56047d5f33e0b190b69be2be1029612c05 (diff)
download: pyramid-b809c72a6fc6d286373dea1fcfe6f674efea24a5.tar.gz
pyramid-b809c72a6fc6d286373dea1fcfe6f674efea24a5.tar.bz2
pyramid-b809c72a6fc6d286373dea1fcfe6f674efea24a5.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/pyramid/session.py b/pyramid/session.py
index a95c3f258..29ffcfc2a 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -126,7 +126,7 @@ def check_csrf_token(request,
     .. versionadded:: 1.4a2
     """
     supplied_token = request.params.get(token, request.headers.get(header))
-    if supplied_token != request.session.get_csrf_token():
+    if strings_differ(request.session.get_csrf_token(), supplied_token):
         if raises:
             raise BadCSRFToken('check_csrf_token(): Invalid token')
         return False
author	Donald Stufft <donald@stufft.io>	2015-02-10 13:36:25 -0500
committer	Donald Stufft <donald@stufft.io>	2015-02-10 13:36:25 -0500
commit	b809c72a6fc6d286373dea1fcfe6f674efea24a5 (patch)
tree	27b571eb4621f4211b4cf7777cb36ebdd9550910
parent	4517ec56047d5f33e0b190b69be2be1029612c05 (diff)
download	pyramid-b809c72a6fc6d286373dea1fcfe6f674efea24a5.tar.gz pyramid-b809c72a6fc6d286373dea1fcfe6f674efea24a5.tar.bz2 pyramid-b809c72a6fc6d286373dea1fcfe6f674efea24a5.zip