Fix CSRF validation when token is unicode

[pvalsecc]

Pramid's params can be either str or unicode depending on the encoding.
Without this fix, constant_time_compare gives a TypeError: 'unicode' does
not have the buffer interface.

[heyleke]

Is there a reason for this pull request not being merged, besides 'time to do it'? Pylons interactive debugger is suffering from this issue (obviously?).

[digitalresistor]

Those people that are familiar with the project, and thus can review and merge this change and verify it doesn't break anything, are no longer actively working on the project.

[stevepiercy]

@bertjwregeer should we post something prominent on the docs or readme to that affect? Also mention that options include forking or attaining sufficient familiarity with the project to perform the merge under Pylons Project? We ought to set expectations to align with reality.

See also:

• Any chance of getting a new release on pypi? colander#208 (comment)
• Why not allow None in an appstruct serialized by Number? colander#204 (comment)

[pvalsecc]

Have you guys checked the complexity of this PR? It's a one liner with a total lack of complexity...

[stevepiercy]

@pvalsecc you can look up the package owner on pypi and contact them directly to request the merge.

[digitalresistor]

@stevepiercy The owner is @bbangert. He did the last merge on this project too.

@pvalsecc Even if I were to merge it, I don't have permission to cut a new release and push it to pypi, so it wouldn't solve the issue unfortunately.

[digitalresistor]

Just got push access to PyPi. Will pull this PR in, and get a new release cut within the next day or so.

[digitalresistor]

@pvalsecc Update on PyPi as version 0.12.

[pvalsecc]

Cool! Thanks @bertjwregeer, I see it.