self-hosted/Mailu
1
0
Fork 0
mirror of https://github.com/Mailu/Mailu.git synced 2025-11-25 22:12:28 +02:00
Code Issues Releases Activity

Use hmac.compare_digest to prevent timing attacks.

Browse Source
This commit is contained in:
Dimitri Huisman
2022-09-27 06:46:32 +00:00
committed by Alexander Graf
parent 5c9cdfe1de
commit 7a36f6bbb9
3 changed files with 37 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/admin/mailu/api/common.py
View File

@@ -2,6 +2,7 @@ from .. import models, utils
from . import v1
from flask import request
import flask
import hmac
from functools import wraps
from flask_restx import abort
@@ -19,10 +20,13 @@ def api_token_authorization(func):
client_ip = flask.request.headers.get('X-Real-IP', flask.request.remote_addr)
if utils.limiter.should_rate_limit_ip(client_ip):
abort(429, 'Too many attempts from your IP (rate-limit)' )
if request.args.get('api_token') != v1.api_token:
if (request.args.get('api_token') == '' or
request.args.get('api_token') == None):
abort(401, 'A valid API token is expected as query string parameter')
if not hmac.compare_digest(request.args.get('api_token'), v1.api_token):
utils.limiter.rate_limit_ip(client_ip)
flask.current_app.logger.warn(f'Invalid API token provided by {client_ip}.')
abort(401, 'A valid API token is expected as query string parameter')
abort(403, 'A valid API token is expected as query string parameter')
else:
flask.current_app.logger.info(f'Valid API token provided by {client_ip}.')
return func(*args, **kwds)