diff MoinMoin/security/textcha.py @ 5902:840ebd16ddd9

use a constant time str comparison function to prevent timing attacks
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 09 Dec 2012 23:20:50 +0100
parents 1ddf7d88c53d
children 3a1b92276377
line wrap: on
line diff
--- a/MoinMoin/security/textcha.py	Sat Dec 08 22:54:04 2012 +0100
+++ b/MoinMoin/security/textcha.py	Sun Dec 09 23:20:50 2012 +0100
@@ -28,6 +28,8 @@
 from MoinMoin import log
 logging = log.getLogger(__name__)
 
+from werkzeug.security import safe_str_cmp as safe_str_equal
+
 from MoinMoin import wikiutil
 from MoinMoin.support.python_compatibility import hmac_new
 
@@ -137,7 +139,7 @@
             if not timestamp or timestamp + self.expiry_time < time():
                 success = False
             try:
-                if self._compute_signature(self.question, timestamp) != signature:
+                if not safe_str_equal(self._compute_signature(self.question, timestamp), signature):
                     success = False
             except TypeError:
                 success = False