Headline
CVE-2014-125056: Merge pull request #1 from tilgovi/passwordtiming · Pylons/horus@fd56ccb
A vulnerability was found in Pylons horus and classified as problematic. Affected by this issue is some unknown functionality of the file horus/flows/local/services.py. The manipulation leads to observable timing discrepancy. The name of the patch is fd56ccb62ce3cbdab0484fe4f9c25c4eda6c57ec. It is recommended to apply a patch to fix this issue. VDB-217598 is the identifier assigned to this vulnerability.
@@ -4,6 +4,24 @@
)
try:
from hmac import compare_digest as is_equal
except ImportError:
def is_equal(lhs, rhs):
"""Returns True if the two strings are equal, False otherwise.
The comparison is based on a common implementation found in Django.
This version avoids a short-circuit even for unequal lengths to reveal
as little as possible. It takes time proportional to the length of its
second argument.
“"”
result = 0 if len(lhs) == len(rhs) else 1
lhs = lhs.ljust(len(rhs))
for x, y in zip(lhs, rhs):
result |= ord(x) ^ ord(y)
return result == 0
class AuthenticationService(object):
def __init__(self, backend):
self.backend = backend
@@ -22,7 +40,7 @@ def login(self, login, password):
if (
user is None or
user.password != password
is_equal(user.password, password) is False
):
raise AuthenticationException()