~mdw / chopwood / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 558d2d9) | patch
httpauth.py: Improve the CSRF token stuff.
authorMark Wooding <mdw@distorted.org.uk>
Thu, 23 Jan 2014 19:08:02 +0000 (19:08 +0000)
committerMark Wooding <mdw@distorted.org.uk>
Thu, 23 Jan 2014 19:08:50 +0000 (19:08 +0000)
commit7405b0d4150bd34218bdb27549005a1950fa2b17
tree3f2e60c5ce2045b314efef111a6a0656f8b74764tree | snapshot (tar.gz zip)
parent558d2d936e93cf72ca09f9869038cf89883c498ccommit | diff
httpauth.py: Improve the CSRF token stuff.

I used to use a simple XOR split, but while I was describing this
mitigation to someone else it struck me that it doesn't actually work:
the bad guy can accept a slowdown factor of 256 and guess corresponding
bytes of both halves to work through the whole token.

Replace the XOR split with a full-on all-or-nothing transform based on
OAEP.
httpauth.py diff | blob | blame | history
A password-changing service.