Random timer to avoid timing oracles and simple bruteforce attacks

Important note: this is a security fix.
2017-04-19 13:48:30 +02:00 · 2017-04-19 13:48:30 +02:00 · 059ba8dec1
commit 059ba8dec1
parent 78e0bfd449
1 changed files with 6 additions and 2 deletions
--- a/radicale/auth.py
+++ b/radicale/auth.py
@ -57,6 +57,8 @@ import base64
 import functools
 import hashlib
 import os
+import random
+import time
 from importlib import import_module


@ -192,6 +194,8 @@ class Auth(BaseAuth):
                line = line.strip()
                if line:
                    login, hash_value = line.split(":")
-                    if login == user:
-                        return self.verify(hash_value, password)
+                    if login == user and self.verify(hash_value, password):
+                        return True
+        # Random timer to avoid timing oracles and simple bruteforce attacks
+        time.sleep(1 + random.random())
        return False