From e159e4ed0a2fee9c7e41e81ae81333b0c9557256 Mon Sep 17 00:00:00 2001
From: Chih-Hsuan Yen <yan12125@gmail.com>
Date: Sat, 30 Jun 2018 11:21:32 +0800
Subject: [PATCH] hook/github: try hmac.compare_digest() first for better
 security

---
 master/buildbot/www/hooks/github.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/master/buildbot/www/hooks/github.py b/master/buildbot/www/hooks/github.py
index 5969fef8eae..2b18b957eaf 100644
--- a/master/buildbot/www/hooks/github.py
+++ b/master/buildbot/www/hooks/github.py
@@ -114,9 +114,17 @@ def _get_payload(self, request):
             mac = hmac.new(unicode2bytes(self._secret),
                            msg=unicode2bytes(content),
                            digestmod=sha1)
-            # NOTE: hmac.compare_digest should be used, but it's only available
-            # starting Python 2.7.7
-            if mac.hexdigest() != hexdigest:
+
+            def _cmp(a, b):
+                try:
+                    # try the more secure compare_digest() first
+                    from hmac import compare_digest
+                    return compare_digest(a, b)
+                except ImportError:
+                    # and fallback to the insecure simple comparison otherwise
+                    return a == b
+
+            if not _cmp(mac.hexdigest(), hexdigest):
                 raise ValueError('Hash mismatch')
 
         content_type = request.getHeader(b'Content-Type')