CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-10 16:04:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Harden timing when getting order with secret check (#4177)

Browse Source
This commit is contained in:
Richard Schreiber
2024-05-24 14:09:18 +02:00
committed by GitHub
parent 37908bd042
commit fb3046210b
1 changed files with 16 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/pretix/base/models/orders.py
View File

@@ -111,6 +111,15 @@ class OrderQuerySet(models.QuerySet):
dummy = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"[:secret_length] dummy = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"[:secret_length]
try: try:
order = self.get(code=code) order = self.get(code=code)
except Order.DoesNotExist:
# Do a hash comparison as well to harden against timing attacks
hmac.compare_digest(
salted_hmac(key_salt=b"", value=tag, algorithm="sha256",
secret=dummy).hexdigest()[:secret_length],
received_secret[:secret_length]
)
raise Order.DoesNotExist
if not hmac.compare_digest( if not hmac.compare_digest(
order.tagged_secret(tag, secret_length) if tag else order.secret, order.tagged_secret(tag, secret_length) if tag else order.secret,
received_secret[:secret_length].lower() if tag else received_secret.lower() received_secret[:secret_length].lower() if tag else received_secret.lower()
@@ -123,16 +132,6 @@ class OrderQuerySet(models.QuerySet):
): ):
raise Order.DoesNotExist raise Order.DoesNotExist
return order return order
except Order.DoesNotExist:
# Do a hash comparison as well to harden against timing attacks
if hmac.compare_digest(
salted_hmac(key_salt=b"", value=tag, algorithm="sha256",
secret=dummy).hexdigest()[:secret_length],
received_secret[:secret_length]
):
raise Order.DoesNotExist
else:
raise Order.DoesNotExist
class Order(LockModel, LoggedModel): class Order(LockModel, LoggedModel):