github/reddit
1
1
Fork 0
mirror of https://github.com/reddit-archive/reddit.git synced 2026-02-13 07:55:11 -05:00
Code Issues Packages Projects Releases Wiki Activity

Use constant_time_compare to check oauth2 secrets.

Browse Source
This commit is contained in:
Logan Hanks
2013-10-16 16:52:41 -07:00
parent 5901ead106
commit 10e2ab8b42
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
r2/r2/controllers/oauth2.py
View File

@@ -37,7 +37,7 @@ from r2.models.token import (
from r2.lib.errors import ForbiddenError, errors
from r2.lib.pages import OAuth2AuthorizationPage
from r2.lib.require import RequirementException, require, require_split
from r2.lib.utils import parse_http_basic
from r2.lib.utils import constant_time_compare, parse_http_basic
from r2.lib.validator import (
nop,
validate,
@@ -156,7 +156,7 @@ class OAuth2AccessController(MinimalController):
client_id, client_secret = parse_http_basic(auth)
client = OAuth2Client.get_token(client_id)
require(client)
require(client.secret == client_secret)
require(constant_time_compare(client.secret, client_secret))
return client
except RequirementException:
abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])