From 2cc3fa4fba36773fa7463262fe4017aacd05bfbe Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Wed, 9 Nov 2022 17:03:04 -0800 Subject: [PATCH] scim: Check SCIM tokens using constant-time comparison. Signed-off-by: Anders Kaseorg --- zerver/middleware.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/zerver/middleware.py b/zerver/middleware.py index e30e2d1e17..a023a81399 100644 --- a/zerver/middleware.py +++ b/zerver/middleware.py @@ -15,6 +15,7 @@ from django.middleware.locale import LocaleMiddleware as DjangoLocaleMiddleware from django.shortcuts import render from django.utils import translation from django.utils.cache import patch_vary_headers +from django.utils.crypto import constant_time_compare from django.utils.deprecation import MiddlewareMixin from django.utils.log import log_response from django.utils.translation import gettext as _ @@ -725,7 +726,10 @@ def validate_scim_bearer_token(request: HttpRequest) -> bool: assert valid_bearer_token assert scim_client_name - if request.headers.get("Authorization") != f"Bearer {valid_bearer_token}": + authorization = request.headers.get("Authorization") + if authorization is None or not constant_time_compare( + authorization, f"Bearer {valid_bearer_token}" + ): return False request_notes = RequestNotes.get_notes(request)