Skip to content

Commit

Permalink
Fix CSRF validation when token is unicode
Browse files Browse the repository at this point in the history 
Pramid's params can be either str or unicode depending on the encoding.
Without this fix, constant_time_compare gives a TypeError: 'unicode' does
not have the buffer interface.
  • Loading branch information
Patrick Valsecchi committed Nov 3, 2015
1 parent 779d977 commit 5a6df15
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion weberror/util/security.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,4 +51,4 @@ def valid_csrf_token(secret, token):

expected = hmac.new(secret, expiry_ts, hashlib.sha256).hexdigest()

return constant_time_compare(hashed, expected)
return constant_time_compare(str(hashed), expected)

0 comments on commit 5a6df15

Please sign in to comment.