Use safe_str_cmp when evaluating tokens. Fixes #252

pallets-eco · Jun 10, 2014 · a6b5d30 · a6b5d30
1 parent 0a48997
commit a6b5d30
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/flask_security/core.py b/flask_security/core.py
@@ -18,6 +18,7 @@
 from passlib.context import CryptContext
 from werkzeug.datastructures import ImmutableList
 from werkzeug.local import LocalProxy
+from werkzeug.security import safe_str_cmp
 
 from .utils import config_value as cv, get_config, md5, url_for_security, string_types
 from .views import create_blueprint
@@ -193,7 +194,7 @@ def _token_loader(token):
     try:
         data = _security.remember_token_serializer.loads(token)
         user = _security.datastore.find_user(id=data[0])
-        if user and md5(user.password) == data[1]:
+        if user and safe_str_cmp(md5(user.password), data[1]):
             return user
     except:
         pass