Use `constant_time_compare` to verify image signatures

CHANGELOG.txt

@@ -25,6 +25,7 @@ Changelog
  * Fix: Ensure that title and slug are synced on keypress, not just on blur (LB (Ben) Johnston)
  * Fix: Add a more visible active state for side panel toggle buttons (Thibaud Colas)
  * Fix: Debounce and optimise live preview panel to prevent excessive requests (Sage Abdullah)
+ * Fix: Use constant-time comparison for image serve URL signatures (Jake Howard)
  * Docs: Document how to add non-ModelAdmin views to a `ModelAdminGroup` (Onno Timmerman)
  * Docs: Document how to add StructBlock data to a StreamField (Ramon Wenger)
  * Docs: Update ReadTheDocs settings to v2 to resolve urllib3 issue in linkcheck extension (Thibaud Colas)

docs/releases/5.1.md

@@ -54,6 +54,7 @@ Thank you to Damilola for his work, and to Google for sponsoring this project.
  * Bulk actions under the "More" dropdown are now accessible for screen reader and keyboard users (Thibaud Colas)
  * Navigation to translations via the locale dropdown is now accessible for screen reader and keyboard users (Thibaud Colas)
  * Make it possible for speech recognition users to reveal chooser buttons (Thibaud Colas)
+ * Use constant-time comparison for image serve URL signatures (Jake Howard)
 
 ### Documentation
 

wagtail/images/utils.py

@@ -3,6 +3,7 @@ import hashlib
 import hmac
 
 from django.conf import settings
+from django.utils.crypto import constant_time_compare
 from django.utils.encoding import force_str
 
 
@@ -94,7 +95,9 @@ def generate_signature(image_id, filter_spec, key=None):
 
 
 def verify_signature(signature, image_id, filter_spec, key=None):
-    return force_str(signature) == generate_signature(image_id, filter_spec, key=key)
+    return constant_time_compare(
+        signature, generate_signature(image_id, filter_spec, key=key)
+    )
 
 
 def find_image_duplicates(image, user, permission_policy):