mirror of
https://github.com/element-hq/synapse.git
synced 2024-11-29 15:39:00 +03:00
Bugfix for older Pythons that lack hmac.compare_digest()
This commit is contained in:
parent
437969eac9
commit
a7d53227de
1 changed files with 11 additions and 1 deletions
|
@ -30,6 +30,16 @@ import urllib
|
||||||
logger = logging.getLogger(__name__)
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
|
||||||
|
# We ought to be using hmac.compare_digest() but on older pythons it doesn't
|
||||||
|
# exist. It's a _really minor_ security flaw to use plain string comparison
|
||||||
|
# because the timing attack is so obscured by all the other code here it's
|
||||||
|
# unlikely to make much difference
|
||||||
|
if hasattr(hmac, "compare_digest"):
|
||||||
|
compare_digest = hmac.compare_digest
|
||||||
|
else:
|
||||||
|
compare_digest = lambda a, b: a == b
|
||||||
|
|
||||||
|
|
||||||
class RegisterRestServlet(RestServlet):
|
class RegisterRestServlet(RestServlet):
|
||||||
"""Handles registration with the home server.
|
"""Handles registration with the home server.
|
||||||
|
|
||||||
|
@ -169,7 +179,7 @@ class RegisterRestServlet(RestServlet):
|
||||||
# have the buffer interface
|
# have the buffer interface
|
||||||
got = str(register_json["captcha_bypass_hmac"])
|
got = str(register_json["captcha_bypass_hmac"])
|
||||||
|
|
||||||
if hmac.compare_digest(want, got):
|
if compare_digest(want, got):
|
||||||
session["user"] = register_json["user"]
|
session["user"] = register_json["user"]
|
||||||
defer.returnValue(None)
|
defer.returnValue(None)
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in a new issue