You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The implementation of get_current_user() in the BaseHandler definition uses a non-constant time string comparison to validate HTTP basic authentication credentials:
basic, credentials = auth_header.split()
credentials = b64decode(credentials.encode()).decode()
if basic != 'Basic' or credentials not in basic_auth:
This could potentially improve the chances of an attacker guessing the authentication credentials beyond a naive bruteforce or dictionary attack via a timing attack.
Consider a constant-time string comparison or hashing the given credentials against a salted hash of the configured credentials.
The text was updated successfully, but these errors were encountered:
The implementation of
get_current_user()in theBaseHandlerdefinition uses a non-constant time string comparison to validate HTTP basic authentication credentials:This could potentially improve the chances of an attacker guessing the authentication credentials beyond a naive bruteforce or dictionary attack via a timing attack.
Consider a constant-time string comparison or hashing the given credentials against a salted hash of the configured credentials.
The text was updated successfully, but these errors were encountered: