using constant time string comparison for username/password, to prevent timing attacks. fixes #3

2025-02-22 07:29:56 -05:00 · 2014-05-21 18:27:12 -04:00 · 2014-05-21 18:27:12 -04:00 · a12dd0c4a9
commit a12dd0c4a9
parent 7ef02955a0
1 changed files with 10 additions and 1 deletions
--- a/onionshare.py
+++ b/onionshare.py
@ -17,7 +17,16 @@ auth_username = auth_password = filename = filehash = filesize = ''

 def check_auth(username, password):
    global auth_username, auth_password
-    return username == auth_username and password == auth_password
+
+    if len(username) != 16 or len(password) != 16:
+        return False
+
+    # constant time string comparison, to prevent timing attacks
+    valid = True
+    for i in range(16):
+        if username[i] != auth_username[i] or password[i] != auth_password[i]:
+            valid = False
+    return valid

 def authenticate():
    return Response(