Mirrors/fish-shell
2
0
Fork 0
mirror of https://github.com/fish-shell/fish-shell synced 2025-01-13 21:44:16 +00:00
Code Issues Projects Releases Packages Wiki Activity

webconfig: Use a constant-time token comparison

Browse source 
This prevents a linear-time attack to recover the auth token.
This commit is contained in:
Andy Lutomirski 2014-08-11 17:50:56 -07:00
parent 397249a8d5
commit 78e2b7cc08
1 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
share/tools/web_config/webconfig.py
View file

@ -471,6 +471,14 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
# Ignore unreadable files, etc
pass
return result
def secure_startswith(self, haystack, needle):
if len(haystack) < len(needle):
return False
bits = 0
for x,y in zip(haystack, needle):
bits |= ord(x) ^ ord(y)
return bits == 0
def font_size_for_ansi_prompt(self, prompt_demo_ansi):
width = ansi_prompt_line_width(prompt_demo_ansi)
@ -489,7 +497,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
p = self.path
authpath = '/' + authkey
if p.startswith(authpath):
if self.secure_startswith(p, authpath):
p = p[len(authpath):]
else:
return self.send_error(403)
@ -528,7 +536,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
p = self.path
authpath = '/' + authkey
if p.startswith(authpath):
if self.secure_startswith(p, authpath):
p = p[len(authpath):]
else:
return self.send_error(403)