use hmac.compare_digest if available

author: Michael Merickel <michael@merickel.org> 2014-11-16 23:11:15 -0600
committer: Michael Merickel <michael@merickel.org> 2014-11-16 23:12:56 -0600
commit: 716a20fc79c98e250c90a3d3e9f2218bec181a8d (patch)
tree: e4676a9acefa4a2612c611315edeb11bbb4561b0 /CHANGES.txt
parent: af0290407b50a18664c9ae28a4c01d4cfb27920b (diff)
download: pyramid-716a20fc79c98e250c90a3d3e9f2218bec181a8d.tar.gz
pyramid-716a20fc79c98e250c90a3d3e9f2218bec181a8d.tar.bz2
pyramid-716a20fc79c98e250c90a3d3e9f2218bec181a8d.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/CHANGES.txt b/CHANGES.txt
index a893ebae4..bbaa6739e 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -33,6 +33,11 @@ Features
 - Greatly improve the readability of the ``pcreate`` shell script output.
   See https://github.com/Pylons/pyramid/pull/1453
 
+- Improve robustness to timing attacks in the ``AuthTktCookieHelper`` and
+  the ``SignedCookieSessionFactory`` classes by using the stdlib's
+  ``hmac.compare_digest`` if it is available (such as Python 2.7.7+ and 3.3+).
+  See https://github.com/Pylons/pyramid/pull/1457
+
 Bug Fixes
 ---------
author	Michael Merickel <michael@merickel.org>	2014-11-16 23:11:15 -0600
committer	Michael Merickel <michael@merickel.org>	2014-11-16 23:12:56 -0600
commit	716a20fc79c98e250c90a3d3e9f2218bec181a8d (patch)
tree	e4676a9acefa4a2612c611315edeb11bbb4561b0 /CHANGES.txt
parent	af0290407b50a18664c9ae28a4c01d4cfb27920b (diff)
download	pyramid-716a20fc79c98e250c90a3d3e9f2218bec181a8d.tar.gz pyramid-716a20fc79c98e250c90a3d3e9f2218bec181a8d.tar.bz2 pyramid-716a20fc79c98e250c90a3d3e9f2218bec181a8d.zip