Slightly improve comment about constant time comparison

2015-08-16 20:50:29 -04:00 · 2015-08-16 20:50:29 -04:00 · 949fa2d426
commit 949fa2d426
parent 0fdb78a6f2
1 changed files with 3 additions and 2 deletions
--- a/yesod-form/Yesod/Form/Functions.hs
+++ b/yesod-form/Yesod/Form/Functions.hs
@ -228,9 +228,10 @@ postHelper form env = do
                    | not (Map.lookup tokenKey params === reqToken req) ->
                        FormFailure [renderMessage m langs MsgCsrfWarning]
                _ -> res
+            -- It's important to use constant-time comparison (constEqBytes) in order to avoid timing attacks.
            where (Just [t1]) === (Just t2) = TE.encodeUtf8 t1 `constEqBytes` TE.encodeUtf8 t2
-                  Nothing     === Nothing   = True   -- It's important to use constTimeEq
-                  _           === _         = False  -- in order to avoid timing attacks.
+                  Nothing     === Nothing   = True
+                  _           === _         = False
    return ((res', xml), enctype)

 -- | Similar to 'runFormPost', except it always ignores the currently available