Permalink
Browse files

- The AuthTktAuthenticationPolicy did not use a timing-attack-aware s…

…tring

  comparator.  See #320 for more info.

References issue#320.
  • Loading branch information...
1 parent c8c9bc8 commit e61ab86f91f5085fb601699ec1a25eac7b0cfca9 @mcdonc mcdonc committed Nov 20, 2011
Showing with 8 additions and 3 deletions.
  1. +8 −3 CHANGES.txt
View
@@ -4,8 +4,9 @@ Next release
Bug Fixes
---------
-- The ``pryamid.view.view_config`` decorator did not accept a ``match_params``
- predicate argument. See https://github.com/Pylons/pyramid/pull/308
+- Backport from master: The ``pryamid.view.view_config`` decorator did not
+ accept a ``match_params`` predicate argument. See
+ https://github.com/Pylons/pyramid/pull/308
- Backport fixes from master regarding URL decoding. URL segments are
no-longer "double-decoded" during traversal and when encountered in a route
@@ -26,10 +27,14 @@ Bug Fixes
- Backport from master: fix ``request.json_body`` to deal with alternate
request charsets.
-- Backport from master: The AuthTktCookieHelper could potentially generate
+- Backport from master: the AuthTktCookieHelper could potentially generate
Unicode headers inappropriately when the ``tokens`` argument to remember
was used. See https://github.com/Pylons/pyramid/pull/314.
+- Backport from master: the AuthTktAuthenticationPolicy did not use a
+ timing-attack-aware string comparator. See
+ https://github.com/Pylons/pyramid/pull/320 for more info.
+
Testing
-------

0 comments on commit e61ab86

Please sign in to comment.