oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-26 16:45:52 +00:00
Code Wiki Activity

Random timer to avoid timing oracles and simple bruteforce attacks

Browse source 
Important note: this is a security fix.
This commit is contained in:
Guillaume Ayoub 2017-04-19 14:02:51 +02:00
parent aef652fbe2
commit 190b1dd795
1 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
radicale/auth/htpasswd.py
View file

@ -56,7 +56,8 @@ following significantly more secure schemes are parsable by Radicale:
import base64 import base64
import hashlib import hashlib
import os import os
import random
import time
from .. import config from .. import config
@ -161,7 +162,10 @@ def is_authenticated(user, password):
if strippedline: if strippedline:
login, hash_value = strippedline.split(":") login, hash_value = strippedline.split(":")
if login == user: if login == user:
if _verifuncs[ENCRYPTION](hash_value, password):
# Allow encryption method to be overridden at runtime. # Allow encryption method to be overridden at runtime.
return _verifuncs[ENCRYPTION](hash_value, password) return True
# Random timer to avoid timing oracles and simple bruteforce attacks
time.sleep(1 + random.random())
return False return False