From 734caae70c8749d3ac35ae68616b17a65f352494 Mon Sep 17 00:00:00 2001
From: aftermath2 <cxbvnlrzfjwi@protonmail.com>
Date: Sat, 1 Apr 2023 12:00:00 +0000
Subject: [PATCH] Prevent timing attacks on protected orders

---
 api/views.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/api/views.py b/api/views.py
index bf11159b..c2ac4541 100644
--- a/api/views.py
+++ b/api/views.py
@@ -1,4 +1,5 @@
 from datetime import datetime, timedelta
+from hmac import compare_digest
 
 from decouple import config
 from django.conf import settings
@@ -558,11 +559,12 @@ class OrderView(viewsets.ViewSet):
                 if not valid:
                     return Response(context, status=status.HTTP_409_CONFLICT)
 
-                if order.password is not None and order.password != password:
-                    return Response(
-                        {"bad_request": "Wrong password"},
-                        status=status.HTTP_403_FORBIDDEN,
-                    )
+                if order.password is not None:
+                    if password is None or not compare_digest(order.password, password):
+                        return Response(
+                            {"bad_request": "Wrong password"},
+                            status=status.HTTP_403_FORBIDDEN,
+                        )
 
                 # For order with amount range, set the amount now.
                 if order.has_range: