[GH-ISSUE #228] Is authentication done in constant time for Basic Authentication ? #117

New Issue

Closed

opened 2026-04-08 16:50:26 +03:00 by zhus · 1 comment

zhus commented 2026-04-08 16:50:26 +03:00

Owner

Copy Link

Originally created by @perrinjerome on GitHub (Jun 2, 2023).
Original GitHub issue: https://github.com/sigoden/dufs/issues/228

Problem

If I understand correctly, when running with --auth-method basic, this

4f3a8d275b/src/auth.rs (L309-L315)

is not comparing the password using constant time, which is not recommended according to
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#compare-password-hashes-using-safe-functions

Maybe something like https://docs.rs/constant_time_eq/latest/constant_time_eq/ could be used instead, but I don't know much about rust ecosystem so I am can not really recommend any implementation.

Log

If applicable, add logs to help explain your problem.

Environment:

• Dufs version: 0.34.1
• Browser/Webdav Info:
• OS Info:

Originally created by @perrinjerome on GitHub (Jun 2, 2023). Original GitHub issue: https://github.com/sigoden/dufs/issues/228 **Problem** <!-- A clear and concise description of what the bug is. --> If I understand correctly, when running with `--auth-method basic`, this https://github.com/sigoden/dufs/blob/4f3a8d275b7f2904ec2e16a0a8e54e4a9bec1986/src/auth.rs#L309-L315 is not comparing the password using constant time, which is not recommended according to https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#compare-password-hashes-using-safe-functions Maybe something like https://docs.rs/constant_time_eq/latest/constant_time_eq/ could be used instead, but I don't know much about rust ecosystem so I am can not really recommend any implementation. **Log** If applicable, add logs to help explain your problem. **Environment:** - Dufs version: 0.34.1 - Browser/Webdav Info: - OS Info:

zhus closed this issue 2026-04-08 16:50:26 +03:00

zhus commented 2026-04-08 16:50:27 +03:00

Author

Owner

Copy Link

@sigoden commented on GitHub (Jun 2, 2023):

This is over optimized

<!-- gh-comment-id:1573784178 --> @sigoden commented on GitHub (Jun 2, 2023): This is over optimized

zhus referenced this issue 2026-04-08 16:53:05 +03:00

[PR #117] [CLOSED] chore(deps): bump serde from 1.0.140 to 1.0.141 #478

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

chore-release

v0.46.0-rc1

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.0

v0.35.0

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.0

v0.27.0

v0.26.0

v0.25.0

v0.24.0

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.1

v0.17.0

v0.16.0

v0.15.1

v0.15.0

v0.14.0

v0.13.2

v0.13.1

v0.13.0

v0.12.1

v0.11.0

v0.10.1

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.1

v0.2.0

v0.1.0

Labels

Clear labels

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

zhus

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sigoden/dufs#117