45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
From e4a39488c4510fcad8851217f10e7337a196bb51 Mon Sep 17 00:00:00 2001
|
|
From: Kunal Mehta <legoktm@debian.org>
|
|
Date: Tue, 8 Jun 2021 00:54:14 -0400
|
|
Subject: [PATCH] Check the REST API password in a way that is resistant to
|
|
timing attacks (CVE-2021-34337)
|
|
|
|
Using basic string equality is vulnerable to timing attacks as it will
|
|
short circuit at the first wrong character. Using hmac.compare_digest
|
|
avoids that issue and will take the same time, regardless of whether
|
|
the value is correct or not.
|
|
|
|
This is only exploitable if an attacker can talk directly to the
|
|
REST API, which by default is bound to localhost.
|
|
|
|
Fixes #911.
|
|
---
|
|
src/mailman/rest/wsgiapp.py | 4 +++-
|
|
1 files changed, 3 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/mailman/rest/wsgiapp.py b/src/mailman/rest/wsgiapp.py
|
|
index 14d9a4e03..ab5be448d 100644
|
|
--- a/src/mailman/rest/wsgiapp.py
|
|
+++ b/src/mailman/rest/wsgiapp.py
|
|
@@ -18,6 +18,7 @@
|
|
"""Basic WSGI Application object for REST server."""
|
|
|
|
import re
|
|
+import hmac
|
|
import logging
|
|
|
|
from base64 import b64decode
|
|
@@ -55,7 +56,8 @@ class Middleware:
|
|
credentials = b64decode(request.auth[6:]).decode('utf-8')
|
|
username, password = credentials.split(':', 1)
|
|
if (username == config.webservice.admin_user and
|
|
- password == config.webservice.admin_pass):
|
|
+ hmac.compare_digest(
|
|
+ password, config.webservice.admin_pass)):
|
|
authorized = True
|
|
if not authorized:
|
|
# Not authorized.
|
|
--
|
|
GitLab
|
|
|