Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code

mediagoblin-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code

From:	Ben Sturmfels
Subject:	Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code to Use a Constant Time String Comparison
Date:	Fri, 04 Aug 2023 22:01:49 +1000
User-agent:	mu4e 1.8.11; emacs 29.0.50

Hey Drew,

~andrew-dudash <andrew-dudash@git.sr.ht> writes:

> Currently the password hash comparison code uses a random delay, but I
> always thought constant time string comparison was best practice.
>
> I was going to ask about it, but I thought it would be better to make a
> patch than bike shed. :)
>
> Drew (1):
>   Replace authentication hash comparison code to use a constant time
>     string comparison. Docker debian 11 tests are passing.
>
>  mediagoblin/plugins/basic_auth/tools.py | 12 ++----------
>  1 file changed, 2 insertions(+), 10 deletions(-)

Thanks very much for the patch - merged. I note that Django uses a
similar approach for it's password comparison, so I think this is a
solid improvement.

Humble apologies for the delay in getting to it!

Regards,
Ben

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code to Use a Constant Time String Comparison, Ben Sturmfels <=
- Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code to Use a Constant Time String Comparison, andrew . dudash, 2023/08/05

Next by Date: Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code to Use a Constant Time String Comparison
Next by thread: Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code to Use a Constant Time String Comparison
Index(es):
- Date
- Thread