Skip to content

Commit

Permalink
Call verifyPassword even if user does not exist.
Browse files Browse the repository at this point in the history
Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.
  • Loading branch information
rouilj committed Apr 7, 2021
1 parent 16d6f2b commit 7c8deb4
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
3 changes: 3 additions & 0 deletions CHANGES.txt
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,9 @@ Fixed:
- issue2551108 - fix handling of designator links when formatted
as markdown links. (Reported by Cedric Krier; John Rouillard)
- Fix filename created from mail attachments, fixes issue2551118
- Call verifyPassword even if user does not exist. Address timing
attack to discover valid account names. Useful where anonymous user
is not allowed access. (John Rouillard)

Features:
- issue2550522 - Add 'filter' command to command-line
Expand Down
5 changes: 5 additions & 0 deletions roundup/cgi/actions.py
Original file line number Diff line number Diff line change
Expand Up @@ -1357,6 +1357,11 @@ def verifyLogin(self, username, password):
try:
self.client.userid = self.db.user.lookup(username)
except KeyError:
# Perform password check against anonymous user.
# Prevents guessing of valid usernames by detecting
# delay caused by checking password only on valid
# users.
_discard = self.verifyPassword("2", password)
raise exceptions.LoginError(self._('Invalid login'))

# verify the password
Expand Down

0 comments on commit 7c8deb4

Please sign in to comment.