summary refs log tree commit diff
path: root/synapse/rest
diff options
context:
space:
mode:
authorPaul "LeoNerd" Evans <paul@matrix.org>2014-09-23 19:07:16 +0100
committerPaul "LeoNerd" Evans <paul@matrix.org>2014-09-23 19:07:16 +0100
commita7d53227de521a40acb682a7d5a204cc5c64eca4 (patch)
tree559d33de09b257016e2b31ec47f896bb6a885c9f /synapse/rest
parentuse all new /rooms/<room id>/state to actually gather the state for rooms whe... (diff)
downloadsynapse-a7d53227de521a40acb682a7d5a204cc5c64eca4.tar.xz
Bugfix for older Pythons that lack hmac.compare_digest()
Diffstat (limited to 'synapse/rest')
-rw-r--r--synapse/rest/register.py12
1 files changed, 11 insertions, 1 deletions
diff --git a/synapse/rest/register.py b/synapse/rest/register.py
index 14d1ab018e..4935e323d9 100644
--- a/synapse/rest/register.py
+++ b/synapse/rest/register.py
@@ -30,6 +30,16 @@ import urllib
 logger = logging.getLogger(__name__)
 
 
+# We ought to be using hmac.compare_digest() but on older pythons it doesn't
+# exist. It's a _really minor_ security flaw to use plain string comparison
+# because the timing attack is so obscured by all the other code here it's
+# unlikely to make much difference
+if hasattr(hmac, "compare_digest"):
+    compare_digest = hmac.compare_digest
+else:
+    compare_digest = lambda a, b: a == b
+
+
 class RegisterRestServlet(RestServlet):
     """Handles registration with the home server.
 
@@ -169,7 +179,7 @@ class RegisterRestServlet(RestServlet):
             # have the buffer interface
             got = str(register_json["captcha_bypass_hmac"])
 
-            if hmac.compare_digest(want, got):
+            if compare_digest(want, got):
                 session["user"] = register_json["user"]
                 defer.returnValue(None)
             else: