erp5_access_token: use hmac.compare_digest instead of string comparison

in order to avoid timing attacks /reviewed-on nexedi/erp5!115

erp5_access_token: use hmac.compare_digest instead of string comparison
in order to avoid timing attacks /reviewed-on nexedi/erp5!115
e3da398b · Georgios Dagkakis · 61d69940 · e3da398b
Commit e3da398b authored May 11, 2016 by Georgios Dagkakis
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getExternalLogin.py ...p5_access_token/RestrictedAccessToken_getExternalLogin.py +4 -2

No files found.
--- a/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getExternalLogin.py
+++ b/bt5/erp5_access_token/SkinTemplateItem/portal_skins/erp5_access_token/RestrictedAccessToken_getExternalLogin.py
 from zExceptions import Unauthorized
+import hmac
 if REQUEST is not None:
  raise Unauthorized

@@ -14,8 +15,9 @@ if access_token_document.getValidationState() == 'validated':
    reference = request.getHeader("X-ACCESS-TOKEN-SECRET", None)
    if reference is None:
      reference = request.form.get("access_token_secret", "INVALID_REFERERENCE")
-  
-    if access_token_document.getReference() != reference:
+
+    # use hmac.compare_digest and not string comparison to avoid timing attacks
+    if not hmac.compare_digest(access_token_document.getReference(), reference):
      return None
    
    agent_document = access_token_document.getAgentValue()