cubicweb-signedrequest #3816103 signature checking is sensitive to timing attacks [resolved]
the request signature checking should be made constant-time. python 3.3 has hmac.compare_digest, django has django.utils.crypto.constant_time_compare, etc, with that purpose.
|closed by||#c105ba615a8b Don't use normal string comparison to check request signatures|
|patch||Don't use normal string comparison to check request signatures [applied]|