Random timer to avoid timing oracles and simple bruteforce attacks
Important note: this is a security fix.
This commit is contained in:
parent
78e0bfd449
commit
059ba8dec1
@ -57,6 +57,8 @@ import base64
|
|||||||
import functools
|
import functools
|
||||||
import hashlib
|
import hashlib
|
||||||
import os
|
import os
|
||||||
|
import random
|
||||||
|
import time
|
||||||
from importlib import import_module
|
from importlib import import_module
|
||||||
|
|
||||||
|
|
||||||
@ -192,6 +194,8 @@ class Auth(BaseAuth):
|
|||||||
line = line.strip()
|
line = line.strip()
|
||||||
if line:
|
if line:
|
||||||
login, hash_value = line.split(":")
|
login, hash_value = line.split(":")
|
||||||
if login == user:
|
if login == user and self.verify(hash_value, password):
|
||||||
return self.verify(hash_value, password)
|
return True
|
||||||
|
# Random timer to avoid timing oracles and simple bruteforce attacks
|
||||||
|
time.sleep(1 + random.random())
|
||||||
return False
|
return False
|
||||||
|
Loading…
Reference in New Issue
Block a user