From a7d53227de521a40acb682a7d5a204cc5c64eca4 Mon Sep 17 00:00:00 2001 From: "Paul \"LeoNerd\" Evans" Date: Tue, 23 Sep 2014 19:07:16 +0100 Subject: [PATCH] Bugfix for older Pythons that lack hmac.compare_digest() --- synapse/rest/register.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/synapse/rest/register.py b/synapse/rest/register.py index 14d1ab018..4935e323d 100644 --- a/synapse/rest/register.py +++ b/synapse/rest/register.py @@ -30,6 +30,16 @@ import urllib logger = logging.getLogger(__name__) +# We ought to be using hmac.compare_digest() but on older pythons it doesn't +# exist. It's a _really minor_ security flaw to use plain string comparison +# because the timing attack is so obscured by all the other code here it's +# unlikely to make much difference +if hasattr(hmac, "compare_digest"): + compare_digest = hmac.compare_digest +else: + compare_digest = lambda a, b: a == b + + class RegisterRestServlet(RestServlet): """Handles registration with the home server. @@ -169,7 +179,7 @@ class RegisterRestServlet(RestServlet): # have the buffer interface got = str(register_json["captcha_bypass_hmac"]) - if hmac.compare_digest(want, got): + if compare_digest(want, got): session["user"] = register_json["user"] defer.returnValue(None) else: