for python version < 2.7.7 implement const time str comparison (#29)

razorpay · Jul 31, 2017 · 39c65f6 · 39c65f6
1 parent 89cdcc8
commit 39c65f6
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,5 +1,6 @@
 language: python
 python:
+  - "2.7.6"
   - "2.7"
   - "3.3"
   - "3.4"

diff --git a/razorpay/utility/utility.py b/razorpay/utility/utility.py
@@ -35,5 +35,29 @@ def verify_signature(self, body, signature, key):
 
         generated_signature = dig.hexdigest()
 
-        if not hmac.compare_digest(generated_signature, signature):
-            raise SignatureVerificationError('Payment Signature Verification Failed')
+        if sys.version_info[0:3] < (2, 7, 7):
+            result = self.compare_string(generated_signature, signature)
+        else:
+            result = hmac.compare_digest(generated_signature, signature)
+
+        if not result:
+            raise SignatureVerificationError(
+                'Razorpay Signature Verification Failed')
+
+    # Taken from Django Source Code
+    # Used in python version < 2.7.7
+    # As hmac.compare_digest is not present in prev versions
+    def compare_string(self, expected_str, actual_str):
+        """
+        Returns True if the two strings are equal, False otherwise
+        The time taken is independent of the number of characters that match
+        For the sake of simplicity, this function executes in constant time only
+        when the two strings have the same length. It short-circuits when they
+        have different lengths
+        """
+        if len(expected_str) != len(actual_str):
+            return False
+        result = 0
+        for x, y in zip(expected_str, actual_str):
+            result |= ord(x) ^ ord(y)
+        return result == 0
-Original file line number
+Diff line change
@@ -1,5 +1,6 @@
     language: python
     python:
+      - "2.7.6"
       - "2.7"
       - "3.3"
       - "3.4"
@@ Expand Down @@