From ab06a888e216f5d93bbc87aa69bac140cc058641 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Sun, 26 Mar 2017 14:43:38 +0200
Subject: use secrets.compare_digest when available

---
 wsgitools/digest.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'wsgitools')

diff --git a/wsgitools/digest.py b/wsgitools/digest.py
index 4f21af0..846257a 100644
--- a/wsgitools/digest.py
+++ b/wsgitools/digest.py
@@ -18,11 +18,13 @@ import hashlib
 import time
 import os
 try:
-    from secrets import randbits
+    from secrets import randbits, compare_digest
 except ImportError:
     import random
     sysrand = random.SystemRandom()
     randbits = sysrand.getrandbits
+    def compare_digest(a, b):
+        return a == b
 
 from wsgitools.internal import bytes2str, str2bytes, textopen
 from wsgitools.authentication import AuthenticationRequired, \
@@ -185,7 +187,7 @@ class AbstractTokenGenerator(object):
         assert isinstance(username, str)
         assert isinstance(password, str)
         token = "%s:%s:%s" % (username, self.realm, password)
-        return md5hex(token) == self(username)
+        return compare_digest(md5hex(token), self(username))
 
 __all__.append("AuthTokenGenerator")
 class AuthTokenGenerator(AbstractTokenGenerator):
-- 
cgit v1.2.3