Skip to content
This repository has been archived by the owner on Jul 13, 2023. It is now read-only.

Make token check in endpoint.py constant time #571

Closed
jrconlin opened this issue Jul 29, 2016 · 1 comment
Closed

Make token check in endpoint.py constant time #571

jrconlin opened this issue Jul 29, 2016 · 1 comment
Assignees
@jrconlin

Comments

@jrconlin
Copy link
Member

in endpoint.*._validate_auth we should make token comparison constant time (see settings.py)
@jrconlin jrconlin self-assigned this Jul 29, 2016
@pjenvey
Copy link
Member

pjenvey commented Jul 29, 2016

Our minimum is 2.7.7 so hmac.compare_digest can be used directly

Multiple auth_key values are allowed so we should probably be extra careful and loop through them all.

jrconlin added a commit that referenced this issue Aug 16, 2016
@jrconlin
bug: Check tokens in constant time
ed7ce2b 
Closes #571
@jrconlin jrconlin mentioned this issue Aug 16, 2016
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jrconlin jrconlin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pjenvey @jrconlin