[issue14532] multiprocessing module performs a time-dependent hmac comparison
Charles-François Natali
report at bugs.python.org
Wed Apr 11 16:41:04 CEST 2012
Charles-François Natali <neologix at free.fr> added the comment:
> You call it obfuscating, I call it security correctness and developer education. Tomayto, tomahto. ;-)
Well, I'd be prompt to changing to a more robust digest check
algorithm if the current one had a flaw, but AFAICT, it's not the case
(but I'm no security expert).
> Anywho, your call of course, feel free to close.
Being a core Python developer doesn't mean I'm right ;-)
I just don't think that "set an example for other hmac module users"
is a good reason on its own to complicate the code, which is currently
readable and - AFICT - safe (complexity usually introduces bugs).
Furthermore, I somehow doubt that hmac users will go and have a look
at the multiprocessing connection challenge code when looking for an
example.
One thing that could definitely be interesting is to look through the
code base and example to see if a similar - but vulnerable - pattern
is used, and fix such occurrences.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14532>
_______________________________________
More information about the Python-bugs-list
mailing list