summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--pyramid/session.py12
1 files changed, 7 insertions, 5 deletions
diff --git a/pyramid/session.py b/pyramid/session.py
index c284ce91b..5772c80d0 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -18,7 +18,6 @@ import os
from zope.interface import implements
-from pyramid.compat import any
from pyramid.interfaces import ISession
def manage_accessed(wrapped):
@@ -277,13 +276,16 @@ def signed_deserialize(serialized, secret, hmac=hmac):
sig = hmac.new(secret, pickled, sha1).hexdigest()
- # Avoid timing attacks (see
- # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
-
if len(sig) != len(input_sig):
raise ValueError('Wrong signature length')
- if any(a != b for a, b in zip(sig, input_sig)):
+ # Avoid timing attacks (see
+ # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
+ invalid_bits = 0
+ for a, b in zip(sig, input_sig):
+ invalid_bits += a != b
+
+ if invalid_bits:
raise ValueError('Invalid bits in signature')
return pickle.loads(pickled)
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-17 06:47:59 +0000