Skip to content
This repository was archived by the owner on Jan 10, 2023. It is now read-only.
This repository was archived by the owner on Jan 10, 2023. It is now read-only.

xsrf _Compare function is vulnerable to timing attacks #35

Open
Open
xsrf _Compare function is vulnerable to timing attacks#35
@NilsAtGoogle

Description

@NilsAtGoogle
NilsAtGoogle
opened on May 21, 2019

_Compare should be replaced with hmac.compare_digest

https://docs.python.org/2/library/hmac.html

It's preferred to use hmac.compare_digest over hand-rolling
a constant-time comparison function, because it is difficult or impossible to
implement correctly in pure-python.

Fun example: https://bugs.python.org/issue15061#msg162758

Note that it takes different time to create a result of ord() depending
whether it's <=100 or > 100 due to caching of small numbers.

So definitely prefer hmac.compare_digest, if timing attacks are a worry.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions