eeva/servant
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Note on basic auth timing attacks in servant-server.

Browse source
This commit is contained in:
aaron levin 2016-01-26 23:53:39 +01:00
parent ee04fbbe3a
commit dc464fa480
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
servant-server/src/Servant/Server/Internal/Auth.hs
View file

@ -37,6 +37,10 @@ mkAuthHandler = AuthHandler
-- * Basic Auth
-- | servant-server's current implementation of basic authentication is not
-- immune to certian kinds of timing attacks. Decoding payloads does not take
-- a fixed amount of time.
-- | The result of authentication/authorization
data BasicAuthResult usr
= Unauthorized