Commit e4a39488 authored by legoktm's avatar legoktm
Browse files

Check the REST API password in a way that is resistant to timing attacks (CVE-2021-34337)

Using basic string equality is vulnerable to timing attacks as it will
short circuit at the first wrong character. Using hmac.compare_digest
avoids that issue and will take the same time, regardless of whether
the value is correct or not.

This is only exploitable if an attacker can talk directly to the
REST API, which by default is bound to localhost.

Fixes #911.
parent 8c4edd1b
Pipeline #374605114 failed with stage
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment