Skip to content
Permalink
Browse files Browse the repository at this point in the history
Always check password to avoid timing side channel attacks in REST2 b…
…asic auth

This addresses CVE-2021-38562.
  • Loading branch information
sunnavy committed Aug 11, 2021
1 parent 5113dc6 commit 70749bb
Showing 1 changed file with 9 additions and 0 deletions.
9 changes: 9 additions & 0 deletions lib/RT/REST2/Middleware/Auth.pm
Expand Up @@ -132,10 +132,19 @@ sub login_from_basicauth {
my($user, $pass) = split /:/, (MIME::Base64::decode($1) || ":"), 2;
my $cu = RT::CurrentUser->new;
$cu->Load($user);

# Load the RT system user as well to avoid timing side channel
my $system_user = RT::CurrentUser->new();
$system_user->Load(1); # User with ID 1 should always exist!

if ($cu->id and $cu->IsPassword($pass)) {
return $cu;
}
else {
if (!$cu->id) {
# Avoid timing side channel... always run IsPassword
$system_user->IsPassword($pass);
}
RT->Logger->info("Failed login for $user");
return;
}
Expand Down

0 comments on commit 70749bb

Please sign in to comment.