diff options
| author | Philip Jenvey <pjenvey@underboss.org> | 2011-04-25 01:04:17 -0700 |
|---|---|---|
| committer | Philip Jenvey <pjenvey@underboss.org> | 2011-04-25 01:04:17 -0700 |
| commit | bf6be9eae4d0be7789effd36875148b6319d77e1 (patch) | |
| tree | 7ffd049bdf20cc72bf93b00ed1fb5054678c7fe2 | |
| parent | a5702cd86382603cc1a3071bc16b9b493e21ebeb (diff) | |
| download | pyramid-bf6be9eae4d0be7789effd36875148b6319d77e1.tar.gz pyramid-bf6be9eae4d0be7789effd36875148b6319d77e1.tar.bz2 pyramid-bf6be9eae4d0be7789effd36875148b6319d77e1.zip | |
revert a5702cd8: oops, it undoes timing attack protection
| -rw-r--r-- | pyramid/session.py | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/pyramid/session.py b/pyramid/session.py index c284ce91b..5772c80d0 100644 --- a/pyramid/session.py +++ b/pyramid/session.py @@ -18,7 +18,6 @@ import os from zope.interface import implements -from pyramid.compat import any from pyramid.interfaces import ISession def manage_accessed(wrapped): @@ -277,13 +276,16 @@ def signed_deserialize(serialized, secret, hmac=hmac): sig = hmac.new(secret, pickled, sha1).hexdigest() - # Avoid timing attacks (see - # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) - if len(sig) != len(input_sig): raise ValueError('Wrong signature length') - if any(a != b for a, b in zip(sig, input_sig)): + # Avoid timing attacks (see + # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf) + invalid_bits = 0 + for a, b in zip(sig, input_sig): + invalid_bits += a != b + + if invalid_bits: raise ValueError('Invalid bits in signature') return pickle.loads(pickled) |