From c69f3d68f96524977d2f59d65b4899f2c40043da Mon Sep 17 00:00:00 2001 From: Tres Seaver <tseaver@palladion.com> Date: Tue, 15 Mar 2011 07:19:32 +0100 Subject: [PATCH] Warn off potential optimizers. --- repoze/who/plugins/htpasswd.py | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/repoze/who/plugins/htpasswd.py b/repoze/who/plugins/htpasswd.py index a457b07..7dfdfdb 100644 --- a/repoze/who/plugins/htpasswd.py +++ b/repoze/who/plugins/htpasswd.py @@ -20,6 +20,13 @@ # IAuthenticatorPlugin def authenticate(self, environ, identity): + # NOW HEAR THIS!!! + # + # This method is *intentionally* slower than would be ideal because + # it is trying to avoid leaking information via timing attacks + # (number of users, length of user IDs, length of passwords, etc.). + # + # Do *not* try to optimize anything away here. try: login = identity['login'] password = identity['password'] @@ -57,6 +64,8 @@ # Check *something* here, to mitigate a timing attack. password_ok = self.check(password, to_check) + + # Check our flags: if both are OK, we found a match. if password_ok and maybe_user: result = maybe_user @@ -69,6 +78,7 @@ PADDING = ' ' * 1000 def _same_string(x, y): + # Attempt at isochronous string comparison. match = True for a, b, ignored in itertools.izip_longest(x, y, PADDING): match = a == b and match -- Gitblit v1.9.3