Accords-Library-Archive
/
gallery.accords-library.com
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

server/api: patch timing attack on password reset form

This commit is contained in:
Alice Ryhl 2017-02-07 20:23:47 +01:00 committed by Marcin Kurczewski
parent 7f09306dde
commit a3b3532ca4
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
server/szurubooru/api/password_reset_api.py
View File

@ -1,6 +1,7 @@
from typing import Dict from typing import Dict
from szurubooru import config, errors, rest from szurubooru import config, errors, rest
from szurubooru.func import auth, mailer, users, versions from szurubooru.func import auth, mailer, users, versions
from hashlib import md5
MAIL_SUBJECT = 'Password reset for {name}' MAIL_SUBJECT = 'Password reset for {name}'
@ -30,6 +31,10 @@ def start_password_reset(
return {} return {}
def _hash(token: str) -> str:
return md5(token.encode('utf-8')).hexdigest()
@rest.routes.post('/password-reset/(?P<user_name>[^/]+)/?') @rest.routes.post('/password-reset/(?P<user_name>[^/]+)/?')
def finish_password_reset( def finish_password_reset(
ctx: rest.Context, params: Dict[str, str]) -> rest.Response: ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
@ -37,7 +42,7 @@ def finish_password_reset(
user = users.get_user_by_name_or_email(user_name) user = users.get_user_by_name_or_email(user_name)
good_token = auth.generate_authentication_token(user) good_token = auth.generate_authentication_token(user)
token = ctx.get_param_as_string('token') token = ctx.get_param_as_string('token')
if token != good_token: if _hash(token) != _hash(good_token):
raise errors.ValidationError('Invalid password reset token.') raise errors.ValidationError('Invalid password reset token.')
new_password = users.reset_user_password(user) new_password = users.reset_user_password(user)
versions.bump_version(user) versions.bump_version(user)