[issue14532] multiprocessing module performs a time-dependent hmac comparison
Charles-François Natali
report at bugs.python.org
Wed Apr 11 23:18:57 CEST 2012
Charles-François Natali <neologix at free.fr> added the comment:
> Given that this issue has affected a lot of security-sensitive third-party code (keyczar, openid providers, almost every python web service that implements "secure cookies" [1] or other HMAC-based REST API signatures), I do like the idea of adding a warning in the relevant documentation as sbt proposed.
This does sound reasonable, along with the addition of a comparison
function immune to timing attacks to the hmac module (as noted, it's
not specific to hmac, but it looks like a resonable place to add it).
Would you like to submit a patch (new comparison function with
documentation and test)?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue14532>
_______________________________________
More information about the Python-bugs-list
mailing list