Always compare both login and password to avoid timing attacks
Related to #591.
This commit is contained in:
parent
1b5bfee96c
commit
5066e97c66
@ -194,6 +194,10 @@ class Auth(BaseAuth):
|
||||
line = line.strip()
|
||||
if line:
|
||||
login, hash_value = line.split(":")
|
||||
if login == user and self.verify(hash_value, password):
|
||||
# Always compare both login and password to avoid timing
|
||||
# attacks, see #591.
|
||||
login_ok = hmac.compare_digest(login, user)
|
||||
password_ok = self.verify(hash_value, password)
|
||||
if login_ok + password_ok == 2:
|
||||
return True
|
||||
return False
|
||||
|
Loading…
Reference in New Issue
Block a user