Use time indepdent compare for secure cookie.

author Gary Burd <gary@hello9.local>

Mon, 11 Jan 2010 18:31:41 +0000 (10:31 -0800)

committer Gary Burd <gary@hello9.local>

Mon, 11 Jan 2010 18:31:41 +0000 (10:31 -0800)
author Gary Burd <gary@hello9.local>
Mon, 11 Jan 2010 18:31:41 +0000 (10:31 -0800)
committer Gary Burd <gary@hello9.local>
Mon, 11 Jan 2010 18:31:41 +0000 (10:31 -0800)
diff --git a/tornado/web.py b/tornado/web.py

index dccb3297a5b7833a427299213ec813facf39c45b..089c074a839e148c213ba4b28f26d98d63033a50 100644 (file)
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -254,7 +254,8 @@ class RequestHandler(object):
          if not value: return None
          parts = value.split("|")
          if len(parts) != 3: return None
-        if self._cookie_signature(parts[0], parts[1]) != parts[2]:
+        if not _time_independent_equals(parts[2],
+                    self._cookie_signature(parts[0], parts[1])):
              logging.warning("Invalid cookie signature %r", value)
              return None
          timestamp = int(parts[1])
@@ -1270,6 +1271,15 @@ def _unicode(s):
      return s
  
  
+def _time_independent_equals(a, b):
+    if len(a) != len(b):
+        return False
+    result = 0
+    for x, y in zip(a, b):
+        result |= ord(x) ^ ord(y)
+    return result == 0
+
+
  class _O(dict):
      """Makes a dictionary behave like an object."""
      def __getattr__(self, name):
author	Gary Burd <gary@hello9.local>
	Mon, 11 Jan 2010 18:31:41 +0000 (10:31 -0800)
committer	Gary Burd <gary@hello9.local>
	Mon, 11 Jan 2010 18:31:41 +0000 (10:31 -0800)