From 76b035b80026f1f080ae932ef27014a5c181c74a Mon Sep 17 00:00:00 2001
From: Marcin Wielgoszewski <marcin.wielgoszewski@gmail.com>
Date: Sun, 27 Jan 2013 12:23:42 -0500
Subject: [PATCH] actually use the constant-time compare function in
 secure_loads

---
 gluon/utils.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gluon/utils.py b/gluon/utils.py
index 8e55108b..77ac7aa7 100644
--- a/gluon/utils.py
+++ b/gluon/utils.py
@@ -144,7 +144,7 @@ def secure_loads(data, encryption_key, hash_key=None, compression_level=None):
         hash_key = hashlib.sha1(encryption_key).hexdigest()
     signature, encrypted_data = data.split(':', 1)
     actual_signature = hmac.new(hash_key, encrypted_data).hexdigest()
-    if signature != actual_signature:
+    if not compare(signature, actual_signature):
         return None
     key = pad(encryption_key[:32])
     cipher = AES_new(key)