HMAC verification does not use a cosntant time algorithm.

Reviewed in https://codereview.appspot.com/6640043/.

oauth2client/xsrfutil.py

@@ -100,7 +100,14 @@ def validate_token(key, token, user_id, action_id="", current_time=None):
   # The given token should match the generated one with the same time.
   expected_token = generate_token(key, user_id, action_id=action_id,
                                   when=token_time)
-  if token != expected_token:
+  if len(token) != len(expected_token):
+    return False
+
+  # Perform constant time comparison to avoid timing attacks
+  different = 0
+  for x, y in zip(token, expected_token):
+    different |= ord(x) ^ ord(y)
+  if different:
     return False
 
   return True