hook/github: try hmac.compare_digest() first for better security

buildbot · Jun 30, 2018 · e159e4e · e159e4e
1 parent 63ade65
commit e159e4e
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/master/buildbot/www/hooks/github.py b/master/buildbot/www/hooks/github.py
@@ -114,9 +114,17 @@ def _get_payload(self, request):
             mac = hmac.new(unicode2bytes(self._secret),
                            msg=unicode2bytes(content),
                            digestmod=sha1)
-            # NOTE: hmac.compare_digest should be used, but it's only available
-            # starting Python 2.7.7
-            if mac.hexdigest() != hexdigest:
+
+            def _cmp(a, b):
+                try:
+                    # try the more secure compare_digest() first
+                    from hmac import compare_digest
+                    return compare_digest(a, b)
+                except ImportError:
+                    # and fallback to the insecure simple comparison otherwise
+                    return a == b
+
+            if not _cmp(mac.hexdigest(), hexdigest):
                 raise ValueError('Hash mismatch')
 
         content_type = request.getHeader(b'Content-Type')