Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

scim: Check SCIM tokens using constant-time comparison. 

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2022-11-09 17:03:04 -08:00 committed by Alex Vandiver
parent 103b8f6de3
commit 2cc3fa4fba
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
zerver/middleware.py
View File

@ -15,6 +15,7 @@ from django.middleware.locale import LocaleMiddleware as DjangoLocaleMiddleware
from django.shortcuts import render
from django.utils import translation
from django.utils.cache import patch_vary_headers
from django.utils.crypto import constant_time_compare
from django.utils.deprecation import MiddlewareMixin
from django.utils.log import log_response
from django.utils.translation import gettext as _
@ -725,7 +726,10 @@ def validate_scim_bearer_token(request: HttpRequest) -> bool:
assert valid_bearer_token
assert scim_client_name
if request.headers.get("Authorization") != f"Bearer {valid_bearer_token}":
authorization = request.headers.get("Authorization")
if authorization is None or not constant_time_compare(
authorization, f"Bearer {valid_bearer_token}"
):
return False
request_notes = RequestNotes.get_notes(request)