diff options
| -rw-r--r-- | filters/simple-authentication.lua | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/simple-authentication.lua b/filters/simple-authentication.lua index 5935d08..5c4f074 100644 --- a/filters/simple-authentication.lua +++ b/filters/simple-authentication.lua @@ -45,7 +45,7 @@ function authenticate_post() redirect_to(redirect) - -- TODO: Implement time invariant string comparison function to mitigate timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if password == nil or password ~= post["password"] then set_cookie("cgitauth", "") else @@ -222,7 +222,7 @@ function validate_value(cookie) return nil end - -- TODO: implement time invariant comparison to prevent against timing attack. + -- Lua hashes strings, so these comparisons are time invariant. if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then return nil end |