Add Python 3 support for FacebookAuthorization.parse_signed_data

`json.loads` was expecting a string, but in python 3 `base64decode()` return bytes and that is why it bugged. We fix this by making sure the decoded payload data is in string and that `hmac.new()` is provided with arguments in bytes. `open_facebook.utils.smart_str` will do that job correctly in python 2 and 3. We also use `hmac.compare_digest()` which is the preferred way to compare those kinds of data to prevent timing analysis. If not `hmac.compare_digest` is available (python 2.7.7+) then we just compare logically. Fixes tschellenbach#491.
nickpack · Nov 22, 2018 · faf4a12 · faf4a12
1 parent 53a5518
commit faf4a12
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/open_facebook/api.py b/open_facebook/api.py
@@ -484,7 +484,9 @@ def parse_signed_data(cls, signed_request,
             expected_sig = hmac.new(smart_str(secret), msg=smart_str(payload),
                                     digestmod=hashlib.sha256).digest()
 
-        if not sig == expected_sig:
+        if (hasattr(hmac, 'compare_digest') and
+                not hmac.compare_digest(sig, expected_sig) or
+                sig != expected_sig):
             error_format = 'Signature %s didnt match the expected signature %s'
             error_message = error_format % (sig, expected_sig)
             send_warning(error_message)