Fixed the timing attack in twilio.util.RequestValidator.

zacharyvoase · zacharyvoase · commit 022ea4cb852d · 2013-05-20T15:13:39.000+02:00
diff --git a/twilio/util.py b/twilio/util.py
@@ -1,5 +1,6 @@
 import base64
 import hmac
+import itertools
 import time
 from hashlib import sha1
 
@@ -43,7 +44,23 @@ def validate(self, uri, params, signature):
 
         :returns: True if the request passes validation, False if not
         """
-        return self.compute_signature(uri, params) == signature
+        return secure_compare(self.compute_signature(uri, params), signature)
+
+
+def secure_compare(string1, string2):
+    """Compare two strings while protecting against timing attacks
+
+    :param string1: the first string
+    :param string2: the second string
+
+    :returns: True if the strings are equal, False if not
+    """
+    if len(string1) != len(string2):
+        return False
+    result = True
+    for c1, c2 in itertools.izip(string1, string2):
+        result &= c1 == c2
+    return result
 
 
 class TwilioCapability(object):
