From e5cb26464e7559fbf74fa71ed299192122e42cbe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Gro=C3=9Fe=20Sundrup?= <cherti@letopolis.de>
Date: Fri, 16 Dec 2016 21:22:05 +0100
Subject: [PATCH] use digest-compare for password-comparison (#360)

---
 src/pretix/base/views/metrics.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/pretix/base/views/metrics.py b/src/pretix/base/views/metrics.py
index 12512149c5..7338dda6c3 100644
--- a/src/pretix/base/views/metrics.py
+++ b/src/pretix/base/views/metrics.py
@@ -1,3 +1,5 @@
+import hmac
+
 from django.conf import settings
 from django.http import HttpResponse
 
@@ -26,9 +28,9 @@ def serve_metrics(request):
 
     user, passphrase = credentials.strip().decode("base64").split(":", 1)
 
-    if user != settings.METRICS_USER:
+    if not hmac.compare_digest(user, settings.METRICS_USER):
         return unauthed_response()
-    if passphrase != settings.METRICS_PASSPHRASE:
+    if not hmac.compare_digest(passphrase, settings.METRICS_PASSPHRASE):
         return unauthed_response()
 
     # ok, the request passed the authentication-barrier, let's hand out the metrics: