From a6b5d3053cca64f05c9741272844a3832cc3b2f4 Mon Sep 17 00:00:00 2001
From: Matt Wright <matt@nobien.net>
Date: Tue, 10 Jun 2014 12:14:52 -0400
Subject: [PATCH] Use `safe_str_cmp` when evaluating tokens. Fixes #252

---
 flask_security/core.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/flask_security/core.py b/flask_security/core.py
index e6341e22..7e922b47 100644
--- a/flask_security/core.py
+++ b/flask_security/core.py
@@ -18,6 +18,7 @@
 from passlib.context import CryptContext
 from werkzeug.datastructures import ImmutableList
 from werkzeug.local import LocalProxy
+from werkzeug.security import safe_str_cmp
 
 from .utils import config_value as cv, get_config, md5, url_for_security, string_types
 from .views import create_blueprint
@@ -193,7 +194,7 @@ def _token_loader(token):
     try:
         data = _security.remember_token_serializer.loads(token)
         user = _security.datastore.find_user(id=data[0])
-        if user and md5(user.password) == data[1]:
+        if user and safe_str_cmp(md5(user.password), data[1]):
             return user
     except:
         pass