Use time indepdent compare for secure cookie.

e4c6eec2 · Gary Burd · b3d98c4a · e4c6eec2
隐藏空白更改
内联并排

Showing with 11 addition and 1 deletion

tornado/web.py tornado/web.py +11 -1

未找到文件。
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -254,7 +254,8 @@ class RequestHandler(object):
        if not value: return None
        parts = value.split("|")
        if len(parts) != 3: return None
-        if self._cookie_signature(parts[0], parts[1]) != parts[2]:
+        if not _time_independent_equals(parts[2],
+                    self._cookie_signature(parts[0], parts[1])):
            logging.warning("Invalid cookie signature %r", value)
            return None
        timestamp = int(parts[1])
@@ -1270,6 +1271,15 @@ def _unicode(s):
    return s


+def _time_independent_equals(a, b):
+    if len(a) != len(b):
+        return False
+    result = 0
+    for x, y in zip(a, b):
+        result |= ord(x) ^ ord(y)
+    return result == 0
+
+
 class _O(dict):
    """Makes a dictionary behave like an object."""
    def __getattr__(self, name):