Prevent timing attacks on protected orders

2025-08-07 19:40:21 +00:00 · 2023-04-01 12:00:00 +00:00
parent 5437f75468
commit 734caae70c
1 changed files with 7 additions and 5 deletions
--- a/api/views.py
+++ b/api/views.py
@ -1,4 +1,5 @@
 from datetime import datetime, timedelta
+from hmac import compare_digest

 from decouple import config
 from django.conf import settings
@ -558,11 +559,12 @@ class OrderView(viewsets.ViewSet):
                if not valid:
                    return Response(context, status=status.HTTP_409_CONFLICT)

-                if order.password is not None and order.password != password:
-                    return Response(
-                        {"bad_request": "Wrong password"},
-                        status=status.HTTP_403_FORBIDDEN,
-                    )
+                if order.password is not None:
+                    if password is None or not compare_digest(order.password, password):
+                        return Response(
+                            {"bad_request": "Wrong password"},
+                            status=status.HTTP_403_FORBIDDEN,
+                        )

                # For order with amount range, set the amount now.
                if order.has_range: