Mercurial > p > roundup > code

diff roundup/cgi/actions.py @ 6375:c4371ec7d1c0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Call verifyPassword even if user does not exist. Address timing attack caused by not doing the password check if the user doesn't exist. Can expose valid usernames. Really only useful for a tracker that doesn't allow anonymous access to issues. Issues usually show usernames as part of the message display.
author John Rouillard <rouilj@ieee.org>
date Tue, 06 Apr 2021 22:51:55 -0400
parents 45ba6b71f1cf
children ada96db8ec62
line wrap: on
line diff
--- a/roundup/cgi/actions.py	Mon Apr 05 22:42:07 2021 -0400
+++ b/roundup/cgi/actions.py	Tue Apr 06 22:51:55 2021 -0400
@@ -1357,6 +1357,11 @@
         try:
             self.client.userid = self.db.user.lookup(username)
         except KeyError:
+            # Perform password check against anonymous user.
+            # Prevents guessing of valid usernames by detecting
+            # delay caused by checking password only on valid
+            # users.
+            _discard = self.verifyPassword("2", password)
             raise exceptions.LoginError(self._('Invalid login'))
 
         # verify the password
Roundup Issue Tracker: http://roundup-tracker.org/