paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-01 20:44:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

zilencer: Check remote server API keys with constant-time comparison.

Browse Source 
Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg
2022-08-05 21:30:08 -07:00
committed by Tim Abbott
parent 887233a8eb
commit 2b1b070fda
2 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
zilencer/views.py
View File

@@ -9,6 +9,7 @@ from django.db import IntegrityError, transaction
from django.db.models import Model
from django.http import HttpRequest, HttpResponse
from django.utils import timezone
from django.utils.crypto import constant_time_compare
from django.utils.translation import gettext as _
from django.utils.translation import gettext as err_
from django.views.decorators.csrf import csrf_exempt
@@ -139,7 +140,7 @@ def register_remote_server(
event_time=remote_server.last_updated,
)
else:
if remote_server.api_key != zulip_org_key:
if not constant_time_compare(remote_server.api_key, zulip_org_key):
raise InvalidZulipServerKeyError(zulip_org_id)
else:
remote_server.hostname = hostname