From 3149c21240ded0b85a0d98ce5a0faadce793978a Mon Sep 17 00:00:00 2001 From: Massimo Di Pierro Date: Wed, 13 Jun 2012 16:45:30 -0500 Subject: [PATCH] fixed a potential timing attack, thanks Kirill Spitsin --- VERSION | 2 +- gluon/html.py | 5 +++-- gluon/utils.py | 4 ++++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/VERSION b/VERSION index 66105987..d3be62af 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -Version 2.00.0 (2012-06-13 11:52:33) dev +Version 2.00.0 (2012-06-13 16:45:24) dev diff --git a/gluon/html.py b/gluon/html.py index b9e79219..d32fdf1e 100644 --- a/gluon/html.py +++ b/gluon/html.py @@ -25,7 +25,7 @@ from HTMLParser import HTMLParser from htmlentitydefs import name2codepoint from storage import Storage -from utils import web2py_uuid, hmac_hash +from utils import web2py_uuid, hmac_hash, compare from highlight import highlight regex_crlf = re.compile('\r|\n') @@ -455,7 +455,8 @@ def verifyURL(request, hmac_key=None, hash_vars=True, salt=None, user_signature= # return whether or not the signature in the request matched the one we just generated # (I.E. was the message the same as the one we originally signed) - return original_sig == sig + + return compare(original_sig, sig) URL.verify = verifyURL diff --git a/gluon/utils.py b/gluon/utils.py index fd9298aa..167a9f0e 100644 --- a/gluon/utils.py +++ b/gluon/utils.py @@ -19,6 +19,10 @@ import logging logger = logging.getLogger("web2py") +def compare(a,b): + """ compares two strings and not vulnerable to timing attacks """ + return len(a)==len(b) and all(x==b[i] for i,x in enumerate(a)) + def md5_hash(text): """ Generate a md5 hash with the given text """ return hashlib.md5(text).hexdigest()