use secrets.compare_digest when available

author: Helmut Grohne <helmut@subdivi.de> 2017-03-26 14:43:38 +0200
committer: Helmut Grohne <helmut@subdivi.de> 2017-03-26 14:43:38 +0200
commit: ab06a888e216f5d93bbc87aa69bac140cc058641 (patch)
tree: 687ced7d098d9504d86aa659e90557cde5594ab6
parent: 11e4968eb417459fac250665b9d274b4bb28f25a (diff)
download: wsgitools-ab06a888e216f5d93bbc87aa69bac140cc058641.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/wsgitools/digest.py b/wsgitools/digest.py
index 4f21af0..846257a 100644
--- a/wsgitools/digest.py
+++ b/wsgitools/digest.py
@@ -18,11 +18,13 @@ import hashlib
 import time
 import os
 try:
-    from secrets import randbits
+    from secrets import randbits, compare_digest
 except ImportError:
     import random
     sysrand = random.SystemRandom()
     randbits = sysrand.getrandbits
+    def compare_digest(a, b):
+        return a == b
 
 from wsgitools.internal import bytes2str, str2bytes, textopen
 from wsgitools.authentication import AuthenticationRequired, \
@@ -185,7 +187,7 @@ class AbstractTokenGenerator(object):
         assert isinstance(username, str)
         assert isinstance(password, str)
         token = "%s:%s:%s" % (username, self.realm, password)
-        return md5hex(token) == self(username)
+        return compare_digest(md5hex(token), self(username))
 
 __all__.append("AuthTokenGenerator")
 class AuthTokenGenerator(AbstractTokenGenerator):
author	Helmut Grohne <helmut@subdivi.de>	2017-03-26 14:43:38 +0200
committer	Helmut Grohne <helmut@subdivi.de>	2017-03-26 14:43:38 +0200
commit	ab06a888e216f5d93bbc87aa69bac140cc058641 (patch)
tree	687ced7d098d9504d86aa659e90557cde5594ab6
parent	11e4968eb417459fac250665b9d274b4bb28f25a (diff)
download	wsgitools-ab06a888e216f5d93bbc87aa69bac140cc058641.tar.gz