Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP Basic Authentication implementation may be susceptible to timing attacks #1131

Closed
benjamin-jones opened this issue Jul 28, 2021 · 1 comment

Comments

@benjamin-jones
Copy link

The implementation of get_current_user() in the BaseHandler definition uses a non-constant time string comparison to validate HTTP basic authentication credentials:

  basic, credentials = auth_header.split()
  credentials = b64decode(credentials.encode()).decode()
  if basic != 'Basic' or credentials not in basic_auth:

This could potentially improve the chances of an attacker guessing the authentication credentials beyond a naive bruteforce or dictionary attack via a timing attack.

Consider a constant-time string comparison or hashing the given credentials against a salted hash of the configured credentials.

@mher
Copy link
Owner

mher commented May 13, 2023

Fixed by #1166

@mher mher closed this as completed May 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants