all verify() methods now use "constant time" comparison function (see CHANGELOG for details)

author: Eli Collins <elic@assurancetechnologies.com> 2011-12-01 17:37:38 -0500
committer: Eli Collins <elic@assurancetechnologies.com> 2011-12-01 17:37:38 -0500
commit: 3a48462b540c1ef47099d0f8dc3feacf564dc74a (patch)
tree: 06bf41f4bdb821f5150a8f636253a40cfdb9fe56 /passlib/apache.py
parent: e7c1589b9c4020a098a9c5c56ff916e643c9726b (diff)
download: passlib-3a48462b540c1ef47099d0f8dc3feacf564dc74a.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/passlib/apache.py b/passlib/apache.py
index deadff0..897cdf3 100644
--- a/passlib/apache.py
+++ b/passlib/apache.py
@@ -11,7 +11,8 @@ import sys
 #site
 #libs
 from passlib.context import CryptContext
-from passlib.utils import render_bytes, bjoin, bytes, b, to_unicode, to_bytes
+from passlib.utils import render_bytes, bjoin, bytes, b, \
+                          to_unicode, to_bytes, consteq
 #pkg
 #local
 __all__ = [
@@ -523,7 +524,8 @@ class HtdigestFile(_CommonFile):
         hash = self._entry_map.get((user,realm))
         if hash is None:
             return None
-        return hash == self._calc_digest(user, realm, password)
+        result = self._calc_digest(user, realm, password)
+        return consteq(result, hash)
 
 #=========================================================
 # eof
author	Eli Collins <elic@assurancetechnologies.com>	2011-12-01 17:37:38 -0500
committer	Eli Collins <elic@assurancetechnologies.com>	2011-12-01 17:37:38 -0500
commit	3a48462b540c1ef47099d0f8dc3feacf564dc74a (patch)
tree	06bf41f4bdb821f5150a8f636253a40cfdb9fe56 /passlib/apache.py
parent	e7c1589b9c4020a098a9c5c56ff916e643c9726b (diff)
download	passlib-3a48462b540c1ef47099d0f8dc3feacf564dc74a.tar.gz