Commits

Thomas Waldmann committed 840ebd1 Draft

use a constant time str comparison function to prevent timing attacks

Comments (0)

Files changed (3)

MoinMoin/security/textcha.py

 from MoinMoin import log
 logging = log.getLogger(__name__)
 
+from werkzeug.security import safe_str_cmp as safe_str_equal
+
 from MoinMoin import wikiutil
 from MoinMoin.support.python_compatibility import hmac_new
 
             if not timestamp or timestamp + self.expiry_time < time():
                 success = False
             try:
-                if self._compute_signature(self.question, timestamp) != signature:
+                if not safe_str_equal(self._compute_signature(self.question, timestamp), signature):
                     success = False
             except TypeError:
                 success = False
 except ImportError:
     crypt = None
 
+from werkzeug.security import safe_str_cmp as safe_str_equal
+
 from MoinMoin.support.python_compatibility import hash_new, hmac_new
 
 from MoinMoin import config, caching, wikiutil, i18n, events
                     salt = d[:2]
                     enc = crypt.crypt(password.encode('utf-8'), salt.encode('ascii'))
 
-                if epwd == method + enc:
+                if safe_str_equal(epwd, method + enc):
                     data['enc_password'] = encodePassword(password) # upgrade to SSHA
                     return True, True
                 return False, False
             salt = data[20:]
             hash = hash_new('sha1', password.encode('utf-8'))
             hash.update(salt)
-            return hash.digest() == data[:20], False
+            return safe_str_equal(hash.digest(), data[:20]), False
 
         # No encoded password match, this must be wrong password
         return False, False
         # check hmac
         # key must be of type string
         h = hmac_new(str(self.recoverpass_key), str(stamp)).hexdigest()
-        if h != parts[1]:
+        if not safe_str_equal(h, parts[1]):
             return False
         self.recoverpass_key = ""
         self.enc_password = encodePassword(newpass)
 from MoinMoin import log
 logging = log.getLogger(__name__)
 
+from werkzeug.security import safe_str_cmp as safe_str_equal
+
 from MoinMoin import config
 from MoinMoin.support.python_compatibility import rsplit
 from inspect import getargspec, isfunction, isclass, ismethod
     #       if the ticket was created within a session.
     ourticket = createTicket(request, timestamp_str)
     logging.debug("checkTicket: returning %r, got %r, expected %r" % (ticket == ourticket, ticket, ourticket))
-    return ticket == ourticket
+    return safe_str_equal(ticket, ourticket)
 
 
 def renderText(request, Parser, text):