CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

use digest-compare for password-comparison (#360)

Browse Source
This commit is contained in:
Jonas Große Sundrup
2016-12-16 21:22:05 +01:00
committed by Raphael Michel
parent b098c9c16a
commit e5cb26464e
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pretix/base/views/metrics.py
View File

@@ -1,3 +1,5 @@
import hmac
from django.conf import settings from django.conf import settings
from django.http import HttpResponse from django.http import HttpResponse
@@ -26,9 +28,9 @@ def serve_metrics(request):
user, passphrase = credentials.strip().decode("base64").split(":", 1) user, passphrase = credentials.strip().decode("base64").split(":", 1)
if user != settings.METRICS_USER: if not hmac.compare_digest(user, settings.METRICS_USER):
return unauthed_response() return unauthed_response()
if passphrase != settings.METRICS_PASSPHRASE: if not hmac.compare_digest(passphrase, settings.METRICS_PASSPHRASE):
return unauthed_response() return unauthed_response()
# ok, the request passed the authentication-barrier, let's hand out the metrics: # ok, the request passed the authentication-barrier, let's hand out the metrics: