[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code
From: |
andrew . dudash |
Subject: |
Re: [PATCH mediagoblin 0/1] Replace Authentication Hash Comparison Code to Use a Constant Time String Comparison |
Date: |
Sat, 05 Aug 2023 16:35:39 +0000 |
Awesome news! Thanks for reviewing, Ben.
------- Original Message -------
On Friday, August 4th, 2023 at 8:01 AM, Ben Sturmfels <ben@sturm.com.au> wrote:
>
>
> Hey Drew,
>
> ~andrew-dudash andrew-dudash@git.sr.ht writes:
>
> > Currently the password hash comparison code uses a random delay, but I
> > always thought constant time string comparison was best practice.
> >
> > I was going to ask about it, but I thought it would be better to make a
> > patch than bike shed. :)
> >
> > Drew (1):
> > Replace authentication hash comparison code to use a constant time
> > string comparison. Docker debian 11 tests are passing.
> >
> > mediagoblin/plugins/basic_auth/tools.py | 12 ++----------
> > 1 file changed, 2 insertions(+), 10 deletions(-)
>
>
> Thanks very much for the patch - merged. I note that Django uses a
> similar approach for it's password comparison, so I think this is a
> solid improvement.
>
> Humble apologies for the delay in getting to it!
>
> Regards,
> Ben
signature.asc
Description: OpenPGP digital signature