Always check password to avoid timing side channel attacks in REST2 b…

…asic auth This addresses CVE-2021-38562.
bestpractical · Aug 11, 2021 · 70749bb · 70749bb
1 parent 5113dc6
commit 70749bb
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/lib/RT/REST2/Middleware/Auth.pm b/lib/RT/REST2/Middleware/Auth.pm
@@ -132,10 +132,19 @@ sub login_from_basicauth {
         my($user, $pass) = split /:/, (MIME::Base64::decode($1) || ":"), 2;
         my $cu = RT::CurrentUser->new;
         $cu->Load($user);
+
+        # Load the RT system user as well to avoid timing side channel
+        my $system_user = RT::CurrentUser->new();
+        $system_user->Load(1);    # User with ID 1 should always exist!
+
         if ($cu->id and $cu->IsPassword($pass)) {
             return $cu;
         }
         else {
+            if (!$cu->id) {
+                # Avoid timing side channel... always run IsPassword
+                $system_user->IsPassword($pass);
+            }
             RT->Logger->info("Failed login for $user");
             return;
         }