diff --git a/zerver/decorator.py b/zerver/decorator.py index 4eca07fb70..904fca6130 100644 --- a/zerver/decorator.py +++ b/zerver/decorator.py @@ -30,6 +30,7 @@ from django.http import HttpRequest, HttpResponse, HttpResponseRedirect, QueryDi from django.http.multipartparser import MultiPartParser from django.shortcuts import resolve_url from django.template.response import SimpleTemplateResponse, TemplateResponse +from django.utils.crypto import constant_time_compare from django.utils.timezone import now as timezone_now from django.utils.translation import gettext as _ from django.views.decorators.csrf import csrf_exempt @@ -284,7 +285,7 @@ def validate_api_key( remote_server = get_remote_server_by_uuid(role) except RemoteZulipServer.DoesNotExist: raise InvalidZulipServerError(role) - if api_key != remote_server.api_key: + if not constant_time_compare(api_key, remote_server.api_key): raise InvalidZulipServerKeyError(role) if remote_server.deactivated: diff --git a/zilencer/views.py b/zilencer/views.py index 55c65187a2..8e471decd3 100644 --- a/zilencer/views.py +++ b/zilencer/views.py @@ -9,6 +9,7 @@ from django.db import IntegrityError, transaction from django.db.models import Model from django.http import HttpRequest, HttpResponse from django.utils import timezone +from django.utils.crypto import constant_time_compare from django.utils.translation import gettext as _ from django.utils.translation import gettext as err_ from django.views.decorators.csrf import csrf_exempt @@ -139,7 +140,7 @@ def register_remote_server( event_time=remote_server.last_updated, ) else: - if remote_server.api_key != zulip_org_key: + if not constant_time_compare(remote_server.api_key, zulip_org_key): raise InvalidZulipServerKeyError(zulip_org_id) else: remote_server.hostname = hostname