Commit e3da398b authored by Georgios Dagkakis's avatar Georgios Dagkakis

erp5_access_token: use hmac.compare_digest instead of string comparison

in order to avoid timing attacks

/reviewed-on !115
parent 61d69940
from zExceptions import Unauthorized from zExceptions import Unauthorized
import hmac
if REQUEST is not None: if REQUEST is not None:
raise Unauthorized raise Unauthorized
...@@ -15,7 +16,8 @@ if access_token_document.getValidationState() == 'validated': ...@@ -15,7 +16,8 @@ if access_token_document.getValidationState() == 'validated':
if reference is None: if reference is None:
reference = request.form.get("access_token_secret", "INVALID_REFERERENCE") reference = request.form.get("access_token_secret", "INVALID_REFERERENCE")
if access_token_document.getReference() != reference: # use hmac.compare_digest and not string comparison to avoid timing attacks
if not hmac.compare_digest(access_token_document.getReference(), reference):
return None return None
agent_document = access_token_document.getAgentValue() agent_document = access_token_document.getAgentValue()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment