fixed a potential timing attack, thanks Kirill Spitsin

VERSION

@@ -1 +1 @@
-Version 2.00.0 (2012-06-13 11:52:33) dev
+Version 2.00.0 (2012-06-13 16:45:24) dev

gluon/html.py

@@ -25,7 +25,7 @@ from HTMLParser import HTMLParser
 from htmlentitydefs import name2codepoint
 
 from storage import Storage
-from utils import web2py_uuid, hmac_hash
+from utils import web2py_uuid, hmac_hash, compare
 from highlight import highlight
 
 regex_crlf = re.compile('\r|\n')
@@ -455,7 +455,8 @@ def verifyURL(request, hmac_key=None, hash_vars=True, salt=None, user_signature=
 
     # return whether or not the signature in the request matched the one we just generated
     # (I.E. was the message the same as the one we originally signed)
-    return original_sig == sig
+    
+    return compare(original_sig, sig)
 
 URL.verify = verifyURL
 

gluon/utils.py

@@ -19,6 +19,10 @@ import logging
 
 logger = logging.getLogger("web2py")
 
+def compare(a,b):
+    """ compares two strings and not vulnerable to timing attacks """
+    return len(a)==len(b) and all(x==b[i] for i,x in enumerate(a))
+
 def md5_hash(text):
     """ Generate a md5 hash with the given text """
     return hashlib.md5(text).hexdigest()