Avoid timing attacks in AuthTktAutenticationPolicy #320

Merged
merged 1 commit into from Oct 15, 2011

Conversation

Projects
None yet
2 participants
@rfk
Contributor

rfk commented Oct 15, 2011

This factors out the timing-invariant string comparison code from
session.py and re-uses it for signature checking in AuthTkt code.

Avoid timing attacks in AuthTktAutenticationPolicy
This factors out the timing-invariant string comparison code from
session.py and re-uses it for signature checking in AuthTkt code.

mcdonc added a commit that referenced this pull request Oct 15, 2011

Merge pull request #320 from rfk/authtkt-timing-attack
Avoid timing attacks in AuthTktAutenticationPolicy

@mcdonc mcdonc merged commit d1527f4 into Pylons:master Oct 15, 2011

@mcdonc

This comment has been minimized.

Show comment
Hide comment
@mcdonc

mcdonc Oct 15, 2011

Member

Thank you!

Member

mcdonc commented Oct 15, 2011

Thank you!

biosyssun pushed a commit to biosyssun/pyramid that referenced this pull request Dec 13, 2014

- The AuthTktAuthenticationPolicy did not use a timing-attack-aware s…
…tring

  comparator.  See Pylons/pyramid#320 for more info.

References issue#320.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment