Skip to content
Permalink
Browse files Browse the repository at this point in the history
scim: Check SCIM tokens using constant-time comparison.
Signed-off-by: Anders Kaseorg <anders@zulip.com>
  • Loading branch information
andersk authored and alexmv committed Nov 16, 2022
1 parent 1dc094d commit 59edbfa
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion zerver/middleware.py
Expand Up @@ -25,6 +25,7 @@
from django.shortcuts import render
from django.utils import translation
from django.utils.cache import patch_vary_headers
from django.utils.crypto import constant_time_compare
from django.utils.deprecation import MiddlewareMixin
from django.utils.log import log_response
from django.utils.translation import gettext as _
Expand Down Expand Up @@ -704,7 +705,10 @@ def validate_scim_bearer_token(request: HttpRequest) -> Optional[SCIMClient]:
assert valid_bearer_token
assert scim_client_name

if request.headers.get("Authorization") != f"Bearer {valid_bearer_token}":
authorization = request.headers.get("Authorization")
if authorization is None or not constant_time_compare(
authorization, f"Bearer {valid_bearer_token}"
):
return None

request_notes = RequestNotes.get_notes(request)
Expand Down

0 comments on commit 59edbfa

Please sign in to comment.