tobias/radicale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use secure RNG for auth delay

Browse Source
This commit is contained in:
Unrud
2020-05-15 21:54:09 +02:00
parent b3dd881277
commit 7b79c00ae2
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
radicale/app/__init__.py
View File

@@ -55,6 +55,8 @@ from radicale.app.put import ApplicationPutMixin
from radicale.app.report import ApplicationReportMixin from radicale.app.report import ApplicationReportMixin
from radicale.log import logger from radicale.log import logger
secure_random = random.SystemRandom()
VERSION = pkg_resources.get_distribution("radicale").version VERSION = pkg_resources.get_distribution("radicale").version
@@ -252,7 +254,7 @@ class Application(
# Random delay to avoid timing oracles and bruteforce attacks # Random delay to avoid timing oracles and bruteforce attacks
delay = self.configuration.get("auth", "delay") delay = self.configuration.get("auth", "delay")
if delay > 0: if delay > 0:
random_delay = delay * (0.5 + random.random()) random_delay = delay * (0.5 + secure_random.random())
logger.debug("Sleeping %.3f seconds", random_delay) logger.debug("Sleeping %.3f seconds", random_delay)
time.sleep(random_delay) time.sleep(random_delay)