actually use the constant-time compare function in secure_loads

2013-01-27 12:23:42 -05:00
parent 3bb8d5e235
commit 76b035b800
1 changed files with 1 additions and 1 deletions
--- a/gluon/utils.py
+++ b/gluon/utils.py
@@ -144,7 +144,7 @@ def secure_loads(data, encryption_key, hash_key=None, compression_level=None):
        hash_key = hashlib.sha1(encryption_key).hexdigest()
    signature, encrypted_data = data.split(':', 1)
    actual_signature = hmac.new(hash_key, encrypted_data).hexdigest()
-    if signature != actual_signature:
+    if not compare(signature, actual_signature):
        return None
    key = pad(encryption_key[:32])
    cipher = AES_new(key)