Bugfix for older Pythons that lack hmac.compare_digest()

2014-09-23 19:07:16 +01:00 · 2014-09-23 19:07:16 +01:00 · a7d53227de
parent 437969eac9
commit a7d53227de
1 changed files with 11 additions and 1 deletions
--- a/synapse/rest/register.py
+++ b/synapse/rest/register.py
@ -30,6 +30,16 @@ import urllib
 logger = logging.getLogger(__name__)


+# We ought to be using hmac.compare_digest() but on older pythons it doesn't
+# exist. It's a _really minor_ security flaw to use plain string comparison
+# because the timing attack is so obscured by all the other code here it's
+# unlikely to make much difference
+if hasattr(hmac, "compare_digest"):
+    compare_digest = hmac.compare_digest
+else:
+    compare_digest = lambda a, b: a == b
+
+
 class RegisterRestServlet(RestServlet):
    """Handles registration with the home server.

@ -169,7 +179,7 @@ class RegisterRestServlet(RestServlet):
            # have the buffer interface
            got = str(register_json["captcha_bypass_hmac"])

-            if hmac.compare_digest(want, got):
+            if compare_digest(want, got):
                session["user"] = register_json["user"]
                defer.returnValue(None)
            else: