~sirn/fanboi2

06f8c07f0bdf242fc448cab0a7a5f02c403d63ef — Kridsada Thanabulpong 4 years ago 910c0ab
Use constant-time comparison function in CSRF check.
2 files changed, 2 insertions(+), 2 deletions(-)

M CHANGES.rst
M fanboi2/forms.py
M CHANGES.rst => CHANGES.rst +1 -0
@@ 2,6 2,7 @@ Next
====

- [Add] Allow post filter to be configured per country.
- [Fix] CSRF check now use constant-time comparison to prevent timing attack.

0.10.1
------

M fanboi2/forms.py => fanboi2/forms.py +1 -2
@@ 61,8 61,7 @@ class SecureForm(Form):
        if not field.data:
            raise ValidationError('CSRF token missing.')
        hmac_compare = self._generate_hmac(field.csrf_key)
        # FIXME: Non constant-time comparison! compare_digest is 3.3.
        if not field.data == hmac_compare:
        if not hmac.compare_digest(field.data, hmac_compare):
            raise ValidationError('CSRF token mismatched.')

    @property