Skip to content
This repository has been archived by the owner on Jan 9, 2019. It is now read-only.

Check nonce with Django cache (bug 963141) #14

Merged
merged 1 commit into from
Feb 26, 2014
Merged

Check nonce with Django cache (bug 963141) #14

merged 1 commit into from
Feb 26, 2014

Conversation

kumar303
Copy link
Contributor

No description provided.

andymckay
andymckay reviewed Feb 26, 2014
View reviewed changes
apk_signer/resthawk/__init__.py
cache.set(key, True,
# We only need the nonce until the message itself expires.
# This also adds a little bit of padding.
timeout=settings.HAWK_MESSAGE_EXPIRATION + 5)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This prevents against replay attacks while the cache key is around, but once the cache has cleared, the nonce is available again, so that means you can replay once its expired... is that an issue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it shouldn't be an issue; a Hawk message has a timestamp which expires according to this setting I used. If the message expires, you couldn't replay it anyway, even if nonces weren't getting checked.

@andymckay
Copy link

r+ then

kumar303 added a commit that referenced this pull request Feb 26, 2014
@kumar303
Merge pull request #14 from kumar303/nonce
5acae04 
Check nonce with Django cache (bug 963141)
@kumar303 kumar303 merged commit 5acae04 into mozilla:master Feb 26, 2014
@kumar303 kumar303 deleted the nonce branch February 26, 2014 22:55
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@kumar303 @andymckay