Potential Side Channel Attack on non-constant time Comparison

[nevercodecorrect]

• pyspider version: 0.3.10
• Operating system: Ubuntu-22.04
• Start up command:

Expected behavior

The vulnerable code is here, the password comparison should use a constant time algorithm

Actual behavior

The vulnerable code is here. An attacker could leverage the differences between the execution time to recover the secrets. String comparison == is not a constant implementation, the execution time may vary based on how many characters are matched. A constant-time implementation would be recommended.
A more detailed explanation could be found here

[flowerone]

您发给我的邮件我已经收到。=================================================== This is an automatic reply, confirming that your e-mail was received.Thank you