Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix potential timing side channel in digest auth.
This change reduces the potential ability to use digest authentication as a side channel for user enumeration. Previously passwords would be hashed for digest users that did not exist, but not hashed for users that *did*. These changes ensure that if password===null no hashing is done. This also means we can remove the string cast. Thanks to Edgaras Janušauskas for raising this issue through our responsible disclosure mailing list.
- Loading branch information