Random timer to avoid timing oracles and simple bruteforce attacks
Important note: this is a security fix.
This commit is contained in:
parent
78e0bfd449
commit
059ba8dec1
@ -57,6 +57,8 @@ import base64
|
||||
import functools
|
||||
import hashlib
|
||||
import os
|
||||
import random
|
||||
import time
|
||||
from importlib import import_module
|
||||
|
||||
|
||||
@ -192,6 +194,8 @@ class Auth(BaseAuth):
|
||||
line = line.strip()
|
||||
if line:
|
||||
login, hash_value = line.split(":")
|
||||
if login == user:
|
||||
return self.verify(hash_value, password)
|
||||
if login == user and self.verify(hash_value, password):
|
||||
return True
|
||||
# Random timer to avoid timing oracles and simple bruteforce attacks
|
||||
time.sleep(1 + random.random())
|
||||
return False
|
||||
|
Loading…
Reference in New Issue
Block a user