Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential issue validating token against candidate #26

Open
afk11 opened this issue Oct 24, 2018 · 0 comments
Open

Potential issue validating token against candidate #26

afk11 opened this issue Oct 24, 2018 · 0 comments

Comments

@afk11
Copy link

afk11 commented Oct 24, 2018
edited
Loading

I was reviewing stackoverflow for how people dealt with leftmost zeroes and I stumbled on this library

There's some issues stemming from the integer conversion where tokens with zeroes are treated as octal, and hence the implementation checks against the wrong token https://stackoverflow.com/questions/39695700/python-flask-app-leading-zeros-in-totp-error-python-2-7

But the subtle issue is that the library doesn't enforce the token length. By casting a string/int to an integer, you discard the leftmost zeroes and hence could allow 1 if the token was actually 000001.
https://github.com/tadeck/onetimepass/blob/master/onetimepass/__init__.py#L216

I suggest adhering to string semantics to avoid accepting potentially invalid input, and adopting a length constant time equality check when testing input against a candidate token here to eliminate timing side channels: https://github.com/tadeck/onetimepass/blob/master/onetimepass/__init__.py#L268
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@afk11