Always compare both login and password to avoid timing attacks
Related to #591.
This commit is contained in:
parent
1b5bfee96c
commit
5066e97c66
@ -194,6 +194,10 @@ class Auth(BaseAuth):
|
|||||||
line = line.strip()
|
line = line.strip()
|
||||||
if line:
|
if line:
|
||||||
login, hash_value = line.split(":")
|
login, hash_value = line.split(":")
|
||||||
if login == user and self.verify(hash_value, password):
|
# Always compare both login and password to avoid timing
|
||||||
|
# attacks, see #591.
|
||||||
|
login_ok = hmac.compare_digest(login, user)
|
||||||
|
password_ok = self.verify(hash_value, password)
|
||||||
|
if login_ok + password_ok == 2:
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
Loading…
Reference in New Issue
Block a user