webconfig: Use a constant-time token comparison

This prevents a linear-time attack to recover the auth token.
This commit is contained in:
Andy Lutomirski 2014-08-11 17:50:56 -07:00 committed by David Adam
parent d63db59ade
commit aaddccfdb1

View file

@ -680,6 +680,14 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
result.extend([r for r in sample_results if r])
return result
def secure_startswith(self, haystack, needle):
if len(haystack) < len(needle):
return False
bits = 0
for x,y in zip(haystack, needle):
bits |= ord(x) ^ ord(y)
return bits == 0
def font_size_for_ansi_prompt(self, prompt_demo_ansi):
width = ansi_prompt_line_width(prompt_demo_ansi)
# Pick a font size
@ -697,7 +705,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
p = self.path
authpath = '/' + authkey
if p.startswith(authpath):
if self.secure_startswith(p, authpath):
p = p[len(authpath):]
else:
return self.send_error(403)
@ -736,7 +744,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
p = self.path
authpath = '/' + authkey
if p.startswith(authpath):
if self.secure_startswith(p, authpath):
p = p[len(authpath):]
else:
return self.send_error(403)