Random timer to avoid timing oracles and simple bruteforce attacks

Important note: this is a security fix.
Kozea · Apr 19, 2017 · 190b1dd · 190b1dd
1 parent aef652f
commit 190b1dd
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/radicale/auth/htpasswd.py b/radicale/auth/htpasswd.py
@@ -56,7 +56,8 @@
 import base64
 import hashlib
 import os
-
+import random
+import time
 
 from .. import config
 
@@ -161,7 +162,10 @@ def is_authenticated(user, password):
             if strippedline:
                 login, hash_value = strippedline.split(":")
                 if login == user:
-                    # Allow encryption method to be overridden at runtime.
-                    return _verifuncs[ENCRYPTION](hash_value, password)
+                    if _verifuncs[ENCRYPTION](hash_value, password):
+                        # Allow encryption method to be overridden at runtime.
+                        return True
+    # Random timer to avoid timing oracles and simple bruteforce attacks
+    time.sleep(1 + random.random())
     return False