Random timer to avoid timing oracles and simple bruteforce attacks

Important note: this is a security fix.
Kozea · Apr 19, 2017 · 059ba8d · 059ba8d
1 parent 78e0bfd
commit 059ba8d
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/radicale/auth.py b/radicale/auth.py
@@ -57,6 +57,8 @@
 import functools
 import hashlib
 import os
+import random
+import time
 from importlib import import_module
 
 
@@ -192,6 +194,8 @@ def is_authenticated(self, user, password):
                 line = line.strip()
                 if line:
                     login, hash_value = line.split(":")
-                    if login == user:
-                        return self.verify(hash_value, password)
+                    if login == user and self.verify(hash_value, password):
+                        return True
+        # Random timer to avoid timing oracles and simple bruteforce attacks
+        time.sleep(1 + random.random())
         return False