tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Random timer to avoid timing oracles and simple bruteforce attacks

Browse Source 
Important note: this is a security fix.
This commit is contained in:
Guillaume Ayoub 2017-04-19 13:48:30 +02:00
parent 78e0bfd449
commit 059ba8dec1
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
radicale/auth.py
View File

@ -57,6 +57,8 @@ import base64
import functools import functools
import hashlib import hashlib
import os import os
import random
import time
from importlib import import_module from importlib import import_module
@ -192,6 +194,8 @@ class Auth(BaseAuth):
line = line.strip() line = line.strip()
if line: if line:
login, hash_value = line.split(":") login, hash_value = line.split(":")
if login == user: if login == user and self.verify(hash_value, password):
return self.verify(hash_value, password) return True
# Random timer to avoid timing oracles and simple bruteforce attacks
time.sleep(1 + random.random())
return False return False