From f16a1bc04b8b42324ccb6c6d01e887633e5448dd Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Wed, 27 Jan 2016 22:20:59 -0600
Subject: convert csrf tokens to bytes prior to string compare

---
 pyramid/session.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index b3be68705..a4cdf910d 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -126,7 +126,8 @@ def check_csrf_token(request,
     .. versionadded:: 1.4a2
     """
     supplied_token = request.params.get(token, request.headers.get(header, ""))
-    if strings_differ(request.session.get_csrf_token(), supplied_token):
+    expected_token = request.session.get_csrf_token()
+    if strings_differ(bytes_(expected_token), bytes_(supplied_token)):
         if raises:
             raise BadCSRFToken('check_csrf_token(): Invalid token')
         return False
-- 
cgit v1.2.3