mirror of
https://github.com/fish-shell/fish-shell
synced 2024-12-26 21:03:12 +00:00
webconfig: Use a constant-time token comparison
This prevents a linear-time attack to recover the auth token.
This commit is contained in:
parent
d63db59ade
commit
aaddccfdb1
1 changed files with 10 additions and 2 deletions
|
@ -680,6 +680,14 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
|
|||
result.extend([r for r in sample_results if r])
|
||||
return result
|
||||
|
||||
def secure_startswith(self, haystack, needle):
|
||||
if len(haystack) < len(needle):
|
||||
return False
|
||||
bits = 0
|
||||
for x,y in zip(haystack, needle):
|
||||
bits |= ord(x) ^ ord(y)
|
||||
return bits == 0
|
||||
|
||||
def font_size_for_ansi_prompt(self, prompt_demo_ansi):
|
||||
width = ansi_prompt_line_width(prompt_demo_ansi)
|
||||
# Pick a font size
|
||||
|
@ -697,7 +705,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
|
|||
p = self.path
|
||||
|
||||
authpath = '/' + authkey
|
||||
if p.startswith(authpath):
|
||||
if self.secure_startswith(p, authpath):
|
||||
p = p[len(authpath):]
|
||||
else:
|
||||
return self.send_error(403)
|
||||
|
@ -736,7 +744,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
|
|||
p = self.path
|
||||
|
||||
authpath = '/' + authkey
|
||||
if p.startswith(authpath):
|
||||
if self.secure_startswith(p, authpath):
|
||||
p = p[len(authpath):]
|
||||
else:
|
||||
return self.send_error(403)
|
||||
|
|
Loading…
Reference in a new issue