Commit 15a65975 authored by Jérome Perrin's avatar Jérome Perrin

stack/resilient: compare password in constant time

parent 15c1948f
Pipeline #25853 passed with stage
in 0 seconds
......@@ -46,7 +46,7 @@ md5sum = 2c9828b57a65ee1eda62fcc4e9a92714
[resilient-web-takeover-cgi-script-download]
filename = resilient-web-takeover-cgi-script.py.in
md5sum = 261d00f9ae4f75881385727832eec249
md5sum = 8f5c9830f4865265d3477fe51425e71d
[template-wrapper]
filename = templates/wrapper.in
......
......@@ -8,6 +8,7 @@ takeover_script = '${resiliency-takeover-script:wrapper-takeover}'
import atexit
import cgi
import datetime
import hmac
try:
import dbm.gnu as gdbm
except ImportError:
......@@ -105,7 +106,7 @@ if "password" not in form:
</html>""" % (latest_backup_message, isBackupInProgress(), getSoftwareReleaseInformationFormatted()))
sys.exit(0)
if form['password'].value != '${:password}':
if not hmac.compare_digest(form['password'].value.encode(), b'${:password}'):
print("<H1>Error</H1>")
print("Password is invalid.")
sys.exit(1)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment