From bf6be9eae4d0be7789effd36875148b6319d77e1 Mon Sep 17 00:00:00 2001
From: Philip Jenvey <pjenvey@underboss.org>
Date: Mon, 25 Apr 2011 01:04:17 -0700
Subject: revert a5702cd8: oops, it undoes timing attack protection

---
 pyramid/session.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index c284ce91b..5772c80d0 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -18,7 +18,6 @@ import os
 
 from zope.interface import implements
 
-from pyramid.compat import any
 from pyramid.interfaces import ISession
 
 def manage_accessed(wrapped):
@@ -277,13 +276,16 @@ def signed_deserialize(serialized, secret, hmac=hmac):
 
     sig = hmac.new(secret, pickled, sha1).hexdigest()
 
-    # Avoid timing attacks (see
-    # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
-
     if len(sig) != len(input_sig):
         raise ValueError('Wrong signature length')
 
-    if any(a != b for a, b in zip(sig, input_sig)):
+    # Avoid timing attacks (see
+    # http://seb.dbzteam.org/crypto/python-oauth-timing-hmac.pdf)
+    invalid_bits = 0
+    for a, b in zip(sig, input_sig):
+        invalid_bits += a != b
+
+    if invalid_bits:
         raise ValueError('Invalid bits in signature')
 
     return pickle.loads(pickled)
-- 
cgit v1.2.3