|
1 From c0eed792a22865b280f99cbb79076fa7ad19fcbb Mon Sep 17 00:00:00 2001 |
|
2 From: Samuel Merritt <[email protected]> |
|
3 Date: Thu, 16 Jan 2014 12:45:52 +0000 |
|
4 Subject: Use constant time comparison in tempURL |
|
5 |
|
6 Use constant time comparison when evaluating tempURL to avoid timing |
|
7 attacks (CVE-2014-0006). This is the grizzly backport of the master |
|
8 patch. |
|
9 |
|
10 Fixes bug 1265665 |
|
11 |
|
12 Change-Id: I11e4ad83cc4077e52adf54a0bd0f9749294b2a48 |
|
13 --- |
|
14 diff --git a/swift/common/middleware/tempurl.py b/swift/common/middleware/tempurl.py |
|
15 index 5a05de7..8a2517e 100644 |
|
16 --- a/swift/common/middleware/tempurl.py |
|
17 +++ b/swift/common/middleware/tempurl.py |
|
18 @@ -98,6 +98,7 @@ from urlparse import parse_qs |
|
19 |
|
20 from swift.common.wsgi import make_pre_authed_env |
|
21 from swift.common.http import HTTP_UNAUTHORIZED |
|
22 +from swift.common.utils import streq_const_time |
|
23 |
|
24 |
|
25 #: Default headers to remove from incoming requests. Simply a whitespace |
|
26 @@ -248,14 +249,14 @@ class TempURL(object): |
|
27 if env['REQUEST_METHOD'] == 'HEAD': |
|
28 hmac_val = self._get_hmac(env, temp_url_expires, key, |
|
29 request_method='GET') |
|
30 - if temp_url_sig != hmac_val: |
|
31 + if not streq_const_time(temp_url_sig, hmac_val): |
|
32 hmac_val = self._get_hmac(env, temp_url_expires, key, |
|
33 request_method='PUT') |
|
34 - if temp_url_sig != hmac_val: |
|
35 + if not streq_const_time(temp_url_sig, hmac_val): |
|
36 return self._invalid(env, start_response) |
|
37 else: |
|
38 hmac_val = self._get_hmac(env, temp_url_expires, key) |
|
39 - if temp_url_sig != hmac_val: |
|
40 + if not streq_const_time(temp_url_sig, hmac_val): |
|
41 return self._invalid(env, start_response) |
|
42 self._clean_incoming_headers(env) |
|
43 env['swift.authorize'] = lambda req: None |