| Index: appengine/chromium_build_logs/third_party/oauth2client/xsrfutil.py
|
| diff --git a/appengine/chromium_rietveld/third_party/oauth2client/xsrfutil.py b/appengine/chromium_build_logs/third_party/oauth2client/xsrfutil.py
|
| similarity index 77%
|
| copy from appengine/chromium_rietveld/third_party/oauth2client/xsrfutil.py
|
| copy to appengine/chromium_build_logs/third_party/oauth2client/xsrfutil.py
|
| index 7e1fe5c813301c5affbed55d40d9a924c2528f6e..5739dcf5d881a3effd3645c065659f1f607ad78c 100644
|
| --- a/appengine/chromium_rietveld/third_party/oauth2client/xsrfutil.py
|
| +++ b/appengine/chromium_build_logs/third_party/oauth2client/xsrfutil.py
|
| @@ -1,6 +1,5 @@
|
| -#!/usr/bin/python2.5
|
| #
|
| -# Copyright 2010 the Melange authors.
|
| +# Copyright 2014 the Melange authors.
|
| #
|
| # Licensed under the Apache License, Version 2.0 (the "License");
|
| # you may not use this file except in compliance with the License.
|
| @@ -17,25 +16,36 @@
|
| """Helper methods for creating & verifying XSRF tokens."""
|
|
|
| __authors__ = [
|
| - '"Doug Coker" <dcoker@google.com>',
|
| - '"Joe Gregorio" <jcgregorio@google.com>',
|
| + '"Doug Coker" <dcoker@google.com>',
|
| + '"Joe Gregorio" <jcgregorio@google.com>',
|
| ]
|
|
|
|
|
| import base64
|
| import hmac
|
| -import os # for urandom
|
| import time
|
|
|
| +import six
|
| from oauth2client import util
|
|
|
|
|
| # Delimiter character
|
| -DELIMITER = ':'
|
| +DELIMITER = b':'
|
| +
|
|
|
| # 1 hour in seconds
|
| DEFAULT_TIMEOUT_SECS = 1*60*60
|
|
|
| +
|
| +def _force_bytes(s):
|
| + if isinstance(s, bytes):
|
| + return s
|
| + s = str(s)
|
| + if isinstance(s, six.text_type):
|
| + return s.encode('utf-8')
|
| + return s
|
| +
|
| +
|
| @util.positional(2)
|
| def generate_token(key, user_id, action_id="", when=None):
|
| """Generates a URL-safe token for the given user, action, time tuple.
|
| @@ -51,18 +61,16 @@ def generate_token(key, user_id, action_id="", when=None):
|
| Returns:
|
| A string XSRF protection token.
|
| """
|
| - when = when or int(time.time())
|
| - digester = hmac.new(key)
|
| - digester.update(str(user_id))
|
| + when = _force_bytes(when or int(time.time()))
|
| + digester = hmac.new(_force_bytes(key))
|
| + digester.update(_force_bytes(user_id))
|
| digester.update(DELIMITER)
|
| - digester.update(action_id)
|
| + digester.update(_force_bytes(action_id))
|
| digester.update(DELIMITER)
|
| - digester.update(str(when))
|
| + digester.update(when)
|
| digest = digester.digest()
|
|
|
| - token = base64.urlsafe_b64encode('%s%s%d' % (digest,
|
| - DELIMITER,
|
| - when))
|
| + token = base64.urlsafe_b64encode(digest + DELIMITER + when)
|
| return token
|
|
|
|
|
| @@ -87,8 +95,8 @@ def validate_token(key, token, user_id, action_id="", current_time=None):
|
| if not token:
|
| return False
|
| try:
|
| - decoded = base64.urlsafe_b64decode(str(token))
|
| - token_time = long(decoded.split(DELIMITER)[-1])
|
| + decoded = base64.urlsafe_b64decode(token)
|
| + token_time = int(decoded.split(DELIMITER)[-1])
|
| except (TypeError, ValueError):
|
| return False
|
| if current_time is None:
|
| @@ -105,9 +113,6 @@ def validate_token(key, token, user_id, action_id="", current_time=None):
|
|
|
| # Perform constant time comparison to avoid timing attacks
|
| different = 0
|
| - for x, y in zip(token, expected_token):
|
| - different |= ord(x) ^ ord(y)
|
| - if different:
|
| - return False
|
| -
|
| - return True
|
| + for x, y in zip(bytearray(token), bytearray(expected_token)):
|
| + different |= x ^ y
|
| + return not different
|
|
|
Chromium Code Reviews
Issue 1260293009:
make version of ts_mon compatible with appengine (Closed)
Base URL: https://chromium.googlesource.com/infra/infra.git@master