2025-summer/team-3
12
Fork 0
Code Issues Pull requests Projects Releases Activity

prevent side channel attacks in the mesh authorization code

Browse source
This commit is contained in:
Jenny Danzmayr 2023-12-01 17:11:06 +01:00
parent f5e3aeb15a
commit 78ff88a390
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/c3nav/mesh/consumers.py
View file

@ -14,6 +14,7 @@ from channels.generic.websocket import AsyncJsonWebsocketConsumer, AsyncWebsocke
from django.conf import settings
from django.db import transaction
from django.utils import timezone
from django.utils.crypto import constant_time_compare
from c3nav.mesh import messages
from c3nav.mesh.messages import (MESH_BROADCAST_ADDRESS, MESH_NONE_ADDRESS, MESH_ROOT_ADDRESS, OTA_CHUNK_SIZE,
@ -58,7 +59,8 @@ class MeshConsumer(AsyncWebsocketConsumer):
async def connect(self):
self.headers = dict(self.scope["headers"])
if self.headers[b'authorization'].strip() != b'Bearer '+settings.SECRET_MESH_KEY.encode():
if not constant_time_compare(self.headers[b'authorization'].strip(),
b'Bearer '+settings.SECRET_MESH_KEY.encode()):
raise DenyConnection
# await self.log_text(None, "new mesh websocket connection")