convert csrf tokens to bytes prior to string compare

author: Michael Merickel <michael@merickel.org> 2016-01-27 22:20:59 -0600
committer: Michael Merickel <michael@merickel.org> 2016-01-27 22:20:59 -0600
commit: f16a1bc04b8b42324ccb6c6d01e887633e5448dd (patch)
tree: 99c9d8c773f98528fd204bbf9fbc1d884e22d091
parent: 183804c747ec465383fac7f57c5b3f61a81fde51 (diff)
download: pyramid-f16a1bc04b8b42324ccb6c6d01e887633e5448dd.tar.gz
pyramid-f16a1bc04b8b42324ccb6c6d01e887633e5448dd.tar.bz2
pyramid-f16a1bc04b8b42324ccb6c6d01e887633e5448dd.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/pyramid/session.py b/pyramid/session.py
index b3be68705..a4cdf910d 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -126,7 +126,8 @@ def check_csrf_token(request,
     .. versionadded:: 1.4a2
     """
     supplied_token = request.params.get(token, request.headers.get(header, ""))
-    if strings_differ(request.session.get_csrf_token(), supplied_token):
+    expected_token = request.session.get_csrf_token()
+    if strings_differ(bytes_(expected_token), bytes_(supplied_token)):
         if raises:
             raise BadCSRFToken('check_csrf_token(): Invalid token')
         return False
author	Michael Merickel <michael@merickel.org>	2016-01-27 22:20:59 -0600
committer	Michael Merickel <michael@merickel.org>	2016-01-27 22:20:59 -0600
commit	f16a1bc04b8b42324ccb6c6d01e887633e5448dd (patch)
tree	99c9d8c773f98528fd204bbf9fbc1d884e22d091
parent	183804c747ec465383fac7f57c5b3f61a81fde51 (diff)
download	pyramid-f16a1bc04b8b42324ccb6c6d01e887633e5448dd.tar.gz pyramid-f16a1bc04b8b42324ccb6c6d01e887633e5448dd.tar.bz2 pyramid-f16a1bc04b8b42324ccb6c6d01e887633e5448dd.zip