~mdw / chopwood / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 40c5485) | patch
httpauth.py, cookies.fhtml: Randomize CSRF token to prevent BREACH.
authorMark Wooding <mdw@distorted.org.uk>
Sat, 10 Aug 2013 12:31:30 +0000 (13:31 +0100)
committerMark Wooding <mdw@distorted.org.uk>
Sat, 10 Aug 2013 12:33:27 +0000 (13:33 +0100)
commit3cf8e1b7955599378bff9089cd66f50654c5cb12
tree6d5a523ccd66b3391f1f9434254500171c96491atree | snapshot (tar.gz zip)
parent40c5485b01a84b8a6b83f0e63576039cb856a36ccommit | diff
httpauth.py, cookies.fhtml: Randomize CSRF token to prevent BREACH.

The use of `gzip' compression by servers, combined with the possibility
of inserting request parameters in responses can leak information from
responses, notably the CSRF token.  We can defend this by splitting it
into two XOR pieces and combining them together again in the server.
cookies.fhtml diff | blob | blame | history
httpauth.py diff | blob | blame | history
A password-changing service.