From 6d729538c1e360bc3521f5a8b82f261f4ec1234e Mon Sep 17 00:00:00 2001
From: Mu <mu@Mus-MacBook-Pro.local>
Date: Tue, 31 Dec 2019 01:31:55 -0600
Subject: [PATCH 1/2] Default Message

---
 webhooks.py | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/webhooks.py b/webhooks.py
index 082c236..c8d7a09 100644
--- a/webhooks.py
+++ b/webhooks.py
@@ -31,6 +31,18 @@
 from ipaddress import ip_address, ip_network
 from flask import Flask, request, abort
 
+# Python prior to 2.7.7 does not have hmac.compare_digest
+if hexversion >= 0x020707F0:
+    def constant_time_compare(val1, val2):
+        return hmac.compare_digest(val1, val2)
+else:
+    def constant_time_compare(val1, val2):
+        if len(val1) != len(val2):
+            return False
+        result = 0
+        for x, y in zip(val1, val2):
+            result |= ord(x) ^ ord(y)
+        return result == 0
 
 application = Flask(__name__)
 
@@ -84,16 +96,8 @@ def index():
         # HMAC requires the key to be bytes, but data is string
         mac = hmac.new(str(secret), msg=request.data, digestmod='sha1')
 
-        # Python prior to 2.7.7 does not have hmac.compare_digest
-        if hexversion >= 0x020707F0:
-            if not hmac.compare_digest(str(mac.hexdigest()), str(signature)):
-                abort(403)
-        else:
-            # What compare_digest provides is protection against timing
-            # attacks; we can live without this protection for a web-based
-            # application
-            if not str(mac.hexdigest()) == str(signature):
-                abort(403)
+        if not constant_time_compare(str(mac.hexdigest()), str(signature)):
+            abort(403)
 
     # Implement ping
     event = request.headers.get('X-GitHub-Event', 'ping')

From c8f9226047b2a3a77857ec47dbf59a83d914f1ce Mon Sep 17 00:00:00 2001
From: Jane-1 <47697440+Jane-1@users.noreply.github.com>
Date: Tue, 31 Dec 2019 01:40:33 -0600
Subject: [PATCH 2/2] Update webhooks.py

---
 webhooks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webhooks.py b/webhooks.py
index c8d7a09..b32c169 100644
--- a/webhooks.py
+++ b/webhooks.py
@@ -94,7 +94,7 @@ def index():
             abort(501)
 
         # HMAC requires the key to be bytes, but data is string
-        mac = hmac.new(str(secret), msg=request.data, digestmod='sha1')
+        mac = hmac.new(str(secret), msg=request.data, digestmod=sha1)
 
         if not constant_time_compare(str(mac.hexdigest()), str(signature)):
             abort(403)