external
/
mailinabox
mirror of https://github.com/mail-in-a-box/mailinabox.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Use hmac.compare_digest() to compare mru_token

This commit is contained in:
Felix Spöttel 2020-09-06 12:54:45 +02:00
parent 481a333dc0
commit 49c333221a
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
management/totp.py
View File

@ -65,7 +65,7 @@ class TOTPStrategy():
raise MissingTokenError("Two factor code missing (no x-auth-token supplied)")
# TODO: Should a token replay be handled as its own error?
if token_header == mfa_state['mru_token'] or validate(mfa_state['secret'], token_header) != True:
if hmac.compare_digest(token_header, mfa_state['mru_token']) or validate(mfa_state['secret'], token_header) != True:
raise BadTokenError("Two factor code incorrect")
self.store_successful_login(token_header, env)