Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
This plugin may be vulnerable to timing attacks. #3
For example, if I'm using bcrypt as my hash generator, an attacker may notice that he may discover usernames when the login fails more slowly than for non-existing usernames. This is due to the following part:
In file repoze/who/plugins/sa.py line 167
If the user does not exist then validator never gets executed.
In the attached commit I've included my proposed solution (with unit tests). Notice that because I've introduced a new "translation" called dummy_validate. While I would have preferred that "validate_password" should have been changed to be a function instead of a method (so that we can call it when user is None), this would a break a lot of existing software.
Thank you very much for the patch. I only have one suggestion, as you'll see in the commit.
I need to run the test suite with SQLAlchemy and Elixir before I can release it to PYPI, but unfortunately my laptop is being repaired at the moment and the one I'm currently using isn't set up or suitable for development. I should be able to release it on Tuesday or Wednesday.
I assume it's not critical to release it ASAP given that this can only work under a brute force attack, right? These attacks should be prevented at a higher level (e.g., the OS) anyway.
That's right, they should be prevented at another level or by generating a CAPTCHA challenge if many requests are done. However, I think that repoze.who shouldn't be (or generate) a weak point in case it does not occur. After all, this would be optional.
added a commit
this pull request
Nov 23, 2011
Thanks once again!