openstack/swift
Code Issues Proposed changes

Merge "Use constant-time string compare for /info requests"

Browse Source
This commit is contained in:
Jenkins 2014-01-19 00:55:31 +00:00 committed by Gerrit Code Review
commit b5697c8570
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
swift/proxy/controllers/info.py
View File

@ -15,7 +15,8 @@
from time import time from time import time
from swift.common.utils import public, get_hmac, get_swift_info, json from swift.common.utils import public, get_hmac, get_swift_info, json, \
streq_const_time
from swift.proxy.controllers.base import Controller, delay_denial from swift.proxy.controllers.base import Controller, delay_denial
from swift.common.swob import HTTPOk, HTTPForbidden, HTTPUnauthorized from swift.common.swob import HTTPOk, HTTPForbidden, HTTPUnauthorized
@ -82,7 +83,12 @@ class InfoController(Controller):
expires, expires,
self.admin_key)) self.admin_key))
if sig not in valid_sigs: # While it's true that any() will short-circuit, this doesn't
# affect the timing-attack resistance since the only way this will
# short-circuit is when a valid signature is passed in.
is_valid_hmac = any(streq_const_time(valid_sig, sig)
for valid_sig in valid_sigs)
if not is_valid_hmac:
return HTTPUnauthorized(request=req) return HTTPUnauthorized(request=req)
headers = {} headers = {}