This repository has been archived by the owner on Jan 10, 2023. It is now read-only.
xsrf _Compare function is vulnerable to timing attacks #35
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
_Compare should be replaced with hmac.compare_digest
https://docs.python.org/2/library/hmac.html
It's preferred to use hmac.compare_digest over hand-rolling
a constant-time comparison function, because it is difficult or impossible to
implement correctly in pure-python.
Fun example: https://bugs.python.org/issue15061#msg162758
So definitely prefer hmac.compare_digest, if timing attacks are a worry.
The text was updated successfully, but these errors were encountered: