From b809c72a6fc6d286373dea1fcfe6f674efea24a5 Mon Sep 17 00:00:00 2001
From: Donald Stufft <donald@stufft.io>
Date: Tue, 10 Feb 2015 13:36:25 -0500
Subject: Prevent timing attacks when checking CSRF token

---
 pyramid/session.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index a95c3f258..29ffcfc2a 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -126,7 +126,7 @@ def check_csrf_token(request,
     .. versionadded:: 1.4a2
     """
     supplied_token = request.params.get(token, request.headers.get(header))
-    if supplied_token != request.session.get_csrf_token():
+    if strings_differ(request.session.get_csrf_token(), supplied_token):
         if raises:
             raise BadCSRFToken('check_csrf_token(): Invalid token')
         return False
-- 
cgit v1.2.3