Merge pull request #1457 from Pylons/feature.string-timing-attacks

use hmac.compare_digest if available
author: Michael Merickel <michael@merickel.org> 2014-11-17 01:11:15 -0600
committer: Michael Merickel <michael@merickel.org> 2014-11-17 01:11:15 -0600
commit: 46225d3323b761196c045de8e79145baa80192ea (patch)
tree: fbcdc868e15c98c513fbdd4f3df7fd3cb99169f6 /CHANGES.txt
parent: 0d6d8d1ae0eb134ca6221c6c9c86676299b6ec4a (diff)
parent: 716a20fc79c98e250c90a3d3e9f2218bec181a8d (diff)
download: pyramid-46225d3323b761196c045de8e79145baa80192ea.tar.gz
pyramid-46225d3323b761196c045de8e79145baa80192ea.tar.bz2
pyramid-46225d3323b761196c045de8e79145baa80192ea.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index a893ebae4..bbaa6739e 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -33,6 +33,11 @@ Features
 - Greatly improve the readability of the ``pcreate`` shell script output.
   See https://github.com/Pylons/pyramid/pull/1453
 
+- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and
+  the ``SignedCookieSessionFactory`` classes by using the stdlib's
+  ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+).
+  See https://github.com/Pylons/pyramid/pull/1457
+
 Bug Fixes
 ---------
author	Michael Merickel <michael@merickel.org>	2014-11-17 01:11:15 -0600
committer	Michael Merickel <michael@merickel.org>	2014-11-17 01:11:15 -0600
commit	46225d3323b761196c045de8e79145baa80192ea (patch)
tree	fbcdc868e15c98c513fbdd4f3df7fd3cb99169f6 /CHANGES.txt
parent	0d6d8d1ae0eb134ca6221c6c9c86676299b6ec4a (diff)
parent	716a20fc79c98e250c90a3d3e9f2218bec181a8d (diff)
download	pyramid-46225d3323b761196c045de8e79145baa80192ea.tar.gz pyramid-46225d3323b761196c045de8e79145baa80192ea.tar.bz2 pyramid-46225d3323b761196c045de8e79145baa80192ea.zip