mirror/esphome
1
0
Fork 0
mirror of https://github.com/esphome/esphome.git synced 2026-02-20 16:35:37 -07:00
Code Issues Packages Projects Releases Wiki Activity

[dashboard] Use constant-time comparison for username check

Browse Source 
Use hmac.compare_digest() for the username comparison to match
the existing constant-time password comparison. This prevents
username enumeration via timing analysis.
This commit is contained in:
J. Nick Koston
2026-02-08 06:46:28 -06:00
parent 7b40e8afcb
commit 79a205eee2
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
esphome/dashboard/settings.py
View File

@@ -84,11 +84,12 @@ class DashboardSettings:
def check_password(self, username: str, password: str) -> bool:
if not self.using_auth:
return True
if username != self.username:
return False
# Compare password in constant running time (to prevent timing attacks)
return hmac.compare_digest(self.password_hash, password_hash(password))
# Compare both in constant running time (to prevent timing attacks)
username_matches = hmac.compare_digest(username, self.username)
password_matches = hmac.compare_digest(
self.password_hash, password_hash(password)
)
return username_matches and password_matches
def rel_path(self, *args: Any) -> Path:
"""Return a path relative to the ESPHome config folder."""