fixing secret comparison with constant time compare

Conflicts: agora_site/agora_core/forms/user.py
agoravoting · Jan 4, 2014 · 97607ae · 97607ae
1 parent 8f6f3b5
commit 97607ae
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/agora_site/agora_core/forms/user.py b/agora_site/agora_core/forms/user.py
@@ -12,6 +12,7 @@
 from django.utils.translation import gettext as _
 from django.contrib.auth import authenticate, login
 from django.shortcuts import get_object_or_404
+from django.utils.crypto import constant_time_compare
 
 from userena import settings as userena_settings
 from userena import forms as userena_forms
@@ -387,8 +388,10 @@ def clean_email(self):
 
     def clean_activation_secret(self):
         if len(self.cleaned_data['activation_secret']) > 0:
-            if self.cleaned_data['activation_secret'] != settings.AGORA_API_AUTO_ACTIVATION_SECRET:
-                raise django_forms.ValidationError(_('Invalid activation secret. ' + settings.AGORA_API_AUTO_ACTIVATION_SECRET + "!= " + self.cleaned_data['activation_secret']))
+            if not constant_time_compare(
+                    self.cleaned_data['activation_secret'],
+                    settings.AGORA_API_AUTO_ACTIVATION_SECRET):
+                raise django_forms.ValidationError(_('Invalid activation secret. '))
             if not settings.AGORA_ALLOW_API_AUTO_ACTIVATION:
                 raise django_forms.ValidationError(_('Auto activation not allowed.'))
         return self.cleaned_data['activation_secret']
@@ -439,4 +442,4 @@ def bundle_obj(self, obj, request):
             ur = ActivationUserResource()
             bundle = ur.build_bundle(obj=obj, request=request)
             bundle = ur.full_dehydrate(bundle)
-            return bundle
+            return bundle