From c38c7e6c4e654dc1e0151a248a462449598eeacb Mon Sep 17 00:00:00 2001
From: Massimo Di Pierro <massimo.dipierro@gmail.com>
Date: Thu, 14 Jun 2012 13:00:57 -0500
Subject: [PATCH] fixed timing attack again, thanks Kirill

---
 VERSION        | 2 +-
 gluon/utils.py | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/VERSION b/VERSION
index c0c1447d..ddc9452e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-Version 2.00.0 (2012-06-13 20:02:08) dev
+Version 2.00.0 (2012-06-14 13:00:51) dev
diff --git a/gluon/utils.py b/gluon/utils.py
index 167a9f0e..99780351 100644
--- a/gluon/utils.py
+++ b/gluon/utils.py
@@ -21,7 +21,12 @@ logger = logging.getLogger("web2py")
 
 def compare(a,b):
     """ compares two strings and not vulnerable to timing attacks """
-    return len(a)==len(b) and all(x==b[i] for i,x in enumerate(a))
+    if len(a) != len(b):
+        return False
+    result = 0
+    for x, y in zip(a, b):
+        result |= ord(x) ^ ord(y)
+    return result == 0
 
 def md5_hash(text):
     """ Generate a md5 hash with the given text """