From 10e2ab8b421a6b562958656798b3f56ca40a82f7 Mon Sep 17 00:00:00 2001
From: Logan Hanks <intortus@reddit.com>
Date: Wed, 16 Oct 2013 16:52:41 -0700
Subject: [PATCH] Use constant_time_compare to check oauth2 secrets.

---
 r2/r2/controllers/oauth2.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/r2/r2/controllers/oauth2.py b/r2/r2/controllers/oauth2.py
index 49deb4ff3..f545754fb 100644
--- a/r2/r2/controllers/oauth2.py
+++ b/r2/r2/controllers/oauth2.py
@@ -37,7 +37,7 @@ from r2.models.token import (
 from r2.lib.errors import ForbiddenError, errors
 from r2.lib.pages import OAuth2AuthorizationPage
 from r2.lib.require import RequirementException, require, require_split
-from r2.lib.utils import parse_http_basic
+from r2.lib.utils import constant_time_compare, parse_http_basic
 from r2.lib.validator import (
     nop,
     validate,
@@ -156,7 +156,7 @@ class OAuth2AccessController(MinimalController):
             client_id, client_secret = parse_http_basic(auth)
             client = OAuth2Client.get_token(client_id)
             require(client)
-            require(client.secret == client_secret)
+            require(constant_time_compare(client.secret, client_secret))
             return client
         except RequirementException:
             abort(401, headers=[("WWW-Authenticate", 'Basic realm="reddit"')])