Always compare both login and password to avoid timing attacks

Related to #591.
This commit is contained in:
Guillaume Ayoub 2017-05-23 16:55:43 +02:00
parent 1b5bfee96c
commit 5066e97c66

View File

@ -194,6 +194,10 @@ class Auth(BaseAuth):
line = line.strip() line = line.strip()
if line: if line:
login, hash_value = line.split(":") login, hash_value = line.split(":")
if login == user and self.verify(hash_value, password): # Always compare both login and password to avoid timing
# attacks, see #591.
login_ok = hmac.compare_digest(login, user)
password_ok = self.verify(hash_value, password)
if login_ok + password_ok == 2:
return True return True
return False return False