oss/Radicale
oss/Radicale
1
0
Fork 0
mirror of https://github.com/Kozea/Radicale.git synced 2025-06-26 16:45:52 +00:00
Code Wiki Activity

Always compare both login and password to avoid timing attacks

Browse source 
Related to #591.
This commit is contained in:
Guillaume Ayoub 2017-05-23 16:55:43 +02:00
parent 1b5bfee96c
commit 5066e97c66
1 changed files with 5 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
radicale/auth.py
View file

@ -194,6 +194,10 @@ class Auth(BaseAuth):
line = line.strip() line = line.strip()
if line: if line:
login, hash_value = line.split(":") login, hash_value = line.split(":")
if login == user and self.verify(hash_value, password): # Always compare both login and password to avoid timing
# attacks, see #591.
login_ok = hmac.compare_digest(login, user)
password_ok = self.verify(hash_value, password)
if login_ok + password_ok == 2:
return True return True
return False return False