From e4c6eec2114d2d95e48762dc8099b364e0a4e23c Mon Sep 17 00:00:00 2001
From: Gary Burd <gary@hello9.local>
Date: Mon, 11 Jan 2010 10:31:41 -0800
Subject: [PATCH] Use time indepdent compare for secure cookie.

---
 tornado/web.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/tornado/web.py b/tornado/web.py
index dccb3297..089c074a 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -254,7 +254,8 @@ class RequestHandler(object):
         if not value: return None
         parts = value.split("|")
         if len(parts) != 3: return None
-        if self._cookie_signature(parts[0], parts[1]) != parts[2]:
+        if not _time_independent_equals(parts[2],
+                    self._cookie_signature(parts[0], parts[1])):
             logging.warning("Invalid cookie signature %r", value)
             return None
         timestamp = int(parts[1])
@@ -1270,6 +1271,15 @@ def _unicode(s):
     return s
 
 
+def _time_independent_equals(a, b):
+    if len(a) != len(b):
+        return False
+    result = 0
+    for x, y in zip(a, b):
+        result |= ord(x) ^ ord(y)
+    return result == 0
+
+
 class _O(dict):
     """Makes a dictionary behave like an object."""
     def __getattr__(self, name):
-- 
GitLab