Fix hmac comparision to be secure (thanks @erikh360)

rudigiesler · rudigiesler · commit b1b6a2b4f8bc · 2018-11-12T10:47:03.000+02:00
diff --git a/registrations/views.py b/registrations/views.py
@@ -684,7 +684,7 @@ def validate_signature(self, request):
 
         h = hmac.new(secret.encode(), request.body, sha256)
 
-        if base64.b64encode(h.digest()).decode() != signature:
+        if not hmac.compare_digest(base64.b64encode(h.digest()).decode(), signature):
             raise AuthenticationFailed("Invalid hook signature")
 
     def get_msisdn(self, data):
