Robosats/robosats
1
0
Fork 0
mirror of https://github.com/RoboSats/robosats.git synced 2025-08-08 00:20:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent timing attacks on protected orders

Browse Source
This commit is contained in:
aftermath2
2023-04-01 12:00:00 +00:00
parent 5437f75468
commit 734caae70c
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/views.py
View File

@ -1,4 +1,5 @@
from datetime import datetime, timedelta from datetime import datetime, timedelta
from hmac import compare_digest
from decouple import config from decouple import config
from django.conf import settings from django.conf import settings
@ -558,11 +559,12 @@ class OrderView(viewsets.ViewSet):
if not valid: if not valid:
return Response(context, status=status.HTTP_409_CONFLICT) return Response(context, status=status.HTTP_409_CONFLICT)
if order.password is not None and order.password != password: if order.password is not None:
return Response( if password is None or not compare_digest(order.password, password):
{"bad_request": "Wrong password"}, return Response(
status=status.HTTP_403_FORBIDDEN, {"bad_request": "Wrong password"},
) status=status.HTTP_403_FORBIDDEN,
)
# For order with amount range, set the amount now. # For order with amount range, set the amount now.
if order.has_range: if order.has_range: