Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(64)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/oauth2client/xsrfutil.py

Issue 1085893002: Upgrade 3rd packages (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/tools/depot_tools
Patch Set: rebase Created 5 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« third_party/oauth2client/client.py ('K') | « third_party/oauth2client/util.py ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/oauth2client/xsrfutil.py
diff --git a/third_party/oauth2client/xsrfutil.py b/third_party/oauth2client/xsrfutil.py
index 7e1fe5c813301c5affbed55d40d9a924c2528f6e..bea7c875ee653b55f54273c19f59b2f1f804f66d 100644
--- a/third_party/oauth2client/xsrfutil.py
+++ b/third_party/oauth2client/xsrfutil.py
@@ -1,6 +1,5 @@
-#!/usr/bin/python2.5
#
-# Copyright 2010 the Melange authors.
+# Copyright 2014 the Melange authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -17,25 +16,36 @@
"""Helper methods for creating & verifying XSRF tokens."""
__authors__ = [
- '"Doug Coker" <dcoker@google.com>',
- '"Joe Gregorio" <jcgregorio@google.com>',
+ '"Doug Coker" <dcoker@google.com>',
+ '"Joe Gregorio" <jcgregorio@google.com>',
]
import base64
import hmac
-import os # for urandom
import time
+import six
from oauth2client import util
# Delimiter character
-DELIMITER = ':'
+DELIMITER = b':'
+
# 1 hour in seconds
DEFAULT_TIMEOUT_SECS = 1*60*60
+
+def _force_bytes(s):
+ if isinstance(s, bytes):
+ return s
+ s = str(s)
+ if isinstance(s, six.text_type):
+ return s.encode('utf-8')
+ return s
+
+
@util.positional(2)
def generate_token(key, user_id, action_id="", when=None):
"""Generates a URL-safe token for the given user, action, time tuple.
@@ -51,18 +61,16 @@ def generate_token(key, user_id, action_id="", when=None):
Returns:
A string XSRF protection token.
"""
- when = when or int(time.time())
- digester = hmac.new(key)
- digester.update(str(user_id))
+ when = _force_bytes(when or int(time.time()))
+ digester = hmac.new(_force_bytes(key))
+ digester.update(_force_bytes(user_id))
digester.update(DELIMITER)
- digester.update(action_id)
+ digester.update(_force_bytes(action_id))
digester.update(DELIMITER)
- digester.update(str(when))
+ digester.update(when)
digest = digester.digest()
- token = base64.urlsafe_b64encode('%s%s%d' % (digest,
- DELIMITER,
- when))
+ token = base64.urlsafe_b64encode(digest + DELIMITER + when)
return token
@@ -87,8 +95,8 @@ def validate_token(key, token, user_id, action_id="", current_time=None):
if not token:
return False
try:
- decoded = base64.urlsafe_b64decode(str(token))
- token_time = long(decoded.split(DELIMITER)[-1])
+ decoded = base64.urlsafe_b64decode(token)
+ token_time = int(decoded.split(DELIMITER)[-1])
except (TypeError, ValueError):
return False
if current_time is None:
@@ -105,9 +113,6 @@ def validate_token(key, token, user_id, action_id="", current_time=None):
# Perform constant time comparison to avoid timing attacks
different = 0
- for x, y in zip(token, expected_token):
- different |= ord(x) ^ ord(y)
- if different:
- return False
-
- return True
+ for x, y in zip(bytearray(token), bytearray(expected_token)):
+ different |= x ^ y
+ return not different
« third_party/oauth2client/client.py ('K') | « third_party/oauth2client/util.py ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698