Robosats/robosats
1
0
Fork 0
mirror of https://github.com/RoboSats/robosats.git synced 2025-08-08 00:20:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prevent timing attacks on protected orders

Browse Source
This commit is contained in:
aftermath2
2023-04-01 12:00:00 +00:00
parent 5437f75468
commit 734caae70c
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/views.py
View File

@ -1,4 +1,5 @@
from datetime import datetime, timedelta
from hmac import compare_digest
from decouple import config
from django.conf import settings
@ -558,7 +559,8 @@ class OrderView(viewsets.ViewSet):
if not valid:
return Response(context, status=status.HTTP_409_CONFLICT)
if order.password is not None and order.password != password:
if order.password is not None:
if password is None or not compare_digest(order.password, password):
return Response(
{"bad_request": "Wrong password"},
status=status.HTTP_403_FORBIDDEN,