diff options
author | Paul "LeoNerd" Evans <paul@matrix.org> | 2014-09-23 19:07:16 +0100 |
---|---|---|
committer | Paul "LeoNerd" Evans <paul@matrix.org> | 2014-09-23 19:07:16 +0100 |
commit | a7d53227de521a40acb682a7d5a204cc5c64eca4 (patch) | |
tree | 559d33de09b257016e2b31ec47f896bb6a885c9f /synapse/rest | |
parent | use all new /rooms/<room id>/state to actually gather the state for rooms whe... (diff) | |
download | synapse-a7d53227de521a40acb682a7d5a204cc5c64eca4.tar.xz |
Bugfix for older Pythons that lack hmac.compare_digest()
Diffstat (limited to 'synapse/rest')
-rw-r--r-- | synapse/rest/register.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/synapse/rest/register.py b/synapse/rest/register.py index 14d1ab018e..4935e323d9 100644 --- a/synapse/rest/register.py +++ b/synapse/rest/register.py @@ -30,6 +30,16 @@ import urllib logger = logging.getLogger(__name__) +# We ought to be using hmac.compare_digest() but on older pythons it doesn't +# exist. It's a _really minor_ security flaw to use plain string comparison +# because the timing attack is so obscured by all the other code here it's +# unlikely to make much difference +if hasattr(hmac, "compare_digest"): + compare_digest = hmac.compare_digest +else: + compare_digest = lambda a, b: a == b + + class RegisterRestServlet(RestServlet): """Handles registration with the home server. @@ -169,7 +179,7 @@ class RegisterRestServlet(RestServlet): # have the buffer interface got = str(register_json["captcha_bypass_hmac"]) - if hmac.compare_digest(want, got): + if compare_digest(want, got): session["user"] = register_json["user"] defer.returnValue(None) else: |