From 9270e08bf8839e2bf8afa11033834a0f3b68d3dd Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Wed, 27 Jan 2016 22:20:10 -0600
Subject: add test to reproduce #2294

---
 pyramid/tests/test_session.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pyramid/tests/test_session.py b/pyramid/tests/test_session.py
index 82e4fb001..914d28a83 100644
--- a/pyramid/tests/test_session.py
+++ b/pyramid/tests/test_session.py
@@ -695,6 +695,13 @@ class Test_check_csrf_token(unittest.TestCase):
         result = self._callFUT(request, 'csrf_token', raises=False)
         self.assertEqual(result, False)
 
+    def test_token_differing_types(self):
+        from pyramid.compat import text_
+        request = testing.DummyRequest()
+        request.session['_csrft_'] = text_('foo')
+        request.params['csrf_token'] = b'foo'
+        self.assertEqual(self._callFUT(request, token='csrf_token'), True)
+
 class DummySerializer(object):
     def dumps(self, value):
         return base64.b64encode(json.dumps(value).encode('utf-8'))
-- 
cgit v1.2.3


From 183804c747ec465383fac7f57c5b3f61a81fde51 Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Wed, 27 Jan 2016 22:20:19 -0600
Subject: set DummySession to use unicode csrf token by default like
 SignedCookieSessionFactory

---
 pyramid/testing.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pyramid/testing.py b/pyramid/testing.py
index 58dcb0b59..14432b01f 100644
--- a/pyramid/testing.py
+++ b/pyramid/testing.py
@@ -16,6 +16,7 @@ from pyramid.compat import (
     PY3,
     PYPY,
     class_types,
+    text_,
     )
 
 from pyramid.config import Configurator
@@ -274,7 +275,7 @@ class DummySession(dict):
         return storage
 
     def new_csrf_token(self):
-        token = '0123456789012345678901234567890123456789'
+        token = text_('0123456789012345678901234567890123456789')
         self['_csrft_'] = token
         return token
 
-- 
cgit v1.2.3


From f16a1bc04b8b42324ccb6c6d01e887633e5448dd Mon Sep 17 00:00:00 2001
From: Michael Merickel <michael@merickel.org>
Date: Wed, 27 Jan 2016 22:20:59 -0600
Subject: convert csrf tokens to bytes prior to string compare

---
 pyramid/session.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pyramid/session.py b/pyramid/session.py
index b3be68705..a4cdf910d 100644
--- a/pyramid/session.py
+++ b/pyramid/session.py
@@ -126,7 +126,8 @@ def check_csrf_token(request,
     .. versionadded:: 1.4a2
     """
     supplied_token = request.params.get(token, request.headers.get(header, ""))
-    if strings_differ(request.session.get_csrf_token(), supplied_token):
+    expected_token = request.session.get_csrf_token()
+    if strings_differ(bytes_(expected_token), bytes_(supplied_token)):
         if raises:
             raise BadCSRFToken('check_csrf_token(): Invalid token')
         return False
-- 
cgit v1.2.3