From 3b50185d2ca536a83f346e4a4ce3cfb8dafc9ea2 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Fri, 16 Mar 2018 11:44:12 +0100
Subject: [PATCH] Use hmac.compare_digest for csrf token comparison

---
 decorators.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/decorators.py b/decorators.py
index 17b7356..7057c00 100644
--- a/decorators.py
+++ b/decorators.py
@@ -1,6 +1,7 @@
 from flask import request, flash, abort
 
 from functools import wraps
+from hmac import compare_digest
 
 from models.database import ALL_MODELS
 from shared import current_user
@@ -97,8 +98,8 @@ def protect_csrf(function):
     @wraps(function)
     def _decorated_function(*args, **kwargs):
         token = request.args.get("csrf_token")
-        if token != get_csrf_token():
-            print(token, get_csrf_token())
+        true_token = get_csrf_token()
+        if token is None or not compare_digest(token, true_token):
             abort(400)
         return function(*args, **kwargs)
     return _decorated_function
-- 
GitLab