Skip to content

Commit 59edbfa

Browse files
anderskalexmv
authored andcommitted
scim: Check SCIM tokens using constant-time comparison.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
1 parent 1dc094d commit 59edbfa

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

Diff for: zerver/middleware.py

+5-1
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@
2525
from django.shortcuts import render
2626
from django.utils import translation
2727
from django.utils.cache import patch_vary_headers
28+
from django.utils.crypto import constant_time_compare
2829
from django.utils.deprecation import MiddlewareMixin
2930
from django.utils.log import log_response
3031
from django.utils.translation import gettext as _
@@ -704,7 +705,10 @@ def validate_scim_bearer_token(request: HttpRequest) -> Optional[SCIMClient]:
704705
assert valid_bearer_token
705706
assert scim_client_name
706707

707-
if request.headers.get("Authorization") != f"Bearer {valid_bearer_token}":
708+
authorization = request.headers.get("Authorization")
709+
if authorization is None or not constant_time_compare(
710+
authorization, f"Bearer {valid_bearer_token}"
711+
):
708712
return None
709713

710714
request_notes = RequestNotes.get_notes(request)

0 commit comments

Comments
 (0)