python/aiogram
1
0
Fork 0
mirror of https://github.com/aiogram/aiogram.git synced 2026-04-08 16:37:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(utils): use hmac.compare_digest for secure WebApp signature validation

Browse source
This commit is contained in:
iSlavok 2025-07-16 02:02:10 +05:00
parent 7a517f1eba
commit f2b8e607ee
2 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGES/1709.bugfix.rst Normal file
View file

@ -0,0 +1 @@
Use `hmac.compare_digest` for validating WebApp data to prevent timing attacks.

2
aiogram/utils/web_app.py
View file

@ -134,7 +134,7 @@ def check_webapp_signature(token: str, init_data: str) -> bool:
calculated_hash = hmac.new( calculated_hash = hmac.new(
key=secret_key.digest(), msg=data_check_string.encode(), digestmod=hashlib.sha256 key=secret_key.digest(), msg=data_check_string.encode(), digestmod=hashlib.sha256
).hexdigest() ).hexdigest()
return calculated_hash == hash_ return hmac.compare_digest(calculated_hash, hash_)
def parse_webapp_init_data( def parse_webapp_init_data(