mirror of
https://github.com/fish-shell/fish-shell.git
synced 2025-01-19 23:12:44 +08:00
webconfig: Use a constant-time token comparison
This prevents a linear-time attack to recover the auth token.
This commit is contained in:
parent
d63db59ade
commit
aaddccfdb1
|
@ -680,6 +680,14 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
|
||||||
result.extend([r for r in sample_results if r])
|
result.extend([r for r in sample_results if r])
|
||||||
return result
|
return result
|
||||||
|
|
||||||
|
def secure_startswith(self, haystack, needle):
|
||||||
|
if len(haystack) < len(needle):
|
||||||
|
return False
|
||||||
|
bits = 0
|
||||||
|
for x,y in zip(haystack, needle):
|
||||||
|
bits |= ord(x) ^ ord(y)
|
||||||
|
return bits == 0
|
||||||
|
|
||||||
def font_size_for_ansi_prompt(self, prompt_demo_ansi):
|
def font_size_for_ansi_prompt(self, prompt_demo_ansi):
|
||||||
width = ansi_prompt_line_width(prompt_demo_ansi)
|
width = ansi_prompt_line_width(prompt_demo_ansi)
|
||||||
# Pick a font size
|
# Pick a font size
|
||||||
|
@ -697,7 +705,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
|
||||||
p = self.path
|
p = self.path
|
||||||
|
|
||||||
authpath = '/' + authkey
|
authpath = '/' + authkey
|
||||||
if p.startswith(authpath):
|
if self.secure_startswith(p, authpath):
|
||||||
p = p[len(authpath):]
|
p = p[len(authpath):]
|
||||||
else:
|
else:
|
||||||
return self.send_error(403)
|
return self.send_error(403)
|
||||||
|
@ -736,7 +744,7 @@ class FishConfigHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
|
||||||
p = self.path
|
p = self.path
|
||||||
|
|
||||||
authpath = '/' + authkey
|
authpath = '/' + authkey
|
||||||
if p.startswith(authpath):
|
if self.secure_startswith(p, authpath):
|
||||||
p = p[len(authpath):]
|
p = p[len(authpath):]
|
||||||
else:
|
else:
|
||||||
return self.send_error(403)
|
return self.send_error(403)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user