This repository was archived by the owner on Jan 10, 2023. It is now read-only.
This repository was archived by the owner on Jan 10, 2023. It is now read-only.
xsrf _Compare function is vulnerable to timing attacks #35
Description
_Compare should be replaced with hmac.compare_digest
https://docs.python.org/2/library/hmac.html
It's preferred to use hmac.compare_digest over hand-rolling
a constant-time comparison function, because it is difficult or impossible to
implement correctly in pure-python.
Fun example: https://bugs.python.org/issue15061#msg162758
Note that it takes different time to create a result of ord() depending
whether it's <=100 or > 100 due to caching of small numbers.
So definitely prefer hmac.compare_digest, if timing attacks are a worry.