[GH-ISSUE #228] Is authentication done in constant time for Basic Authentication ? #4928

New Issue

Closed

opened 2026-05-28 23:33:00 +03:00 by zhus · 1 comment

zhus commented 2026-05-28 23:33:00 +03:00

Owner

Copy Link

Copy Source

Originally created by @perrinjerome on GitHub (Jun 2, 2023).
Original GitHub issue: https://github.com/sigoden/dufs/issues/228

Problem

If I understand correctly, when running with --auth-method basic, this

https://github.com/sigoden/dufs/blob/4f3a8d275b7f2904ec2e16a0a8e54e4a9bec1986/src/auth.rs#L309-L315

is not comparing the password using constant time, which is not recommended according to
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#compare-password-hashes-using-safe-functions

Maybe something like https://docs.rs/constant_time_eq/latest/constant_time_eq/ could be used instead, but I don't know much about rust ecosystem so I am can not really recommend any implementation.

Log

If applicable, add logs to help explain your problem.

Environment:

• Dufs version: 0.34.1
• Browser/Webdav Info:
• OS Info:

Originally created by @perrinjerome on GitHub (Jun 2, 2023). Original GitHub issue: https://github.com/sigoden/dufs/issues/228 **Problem** <!-- A clear and concise description of what the bug is. --> If I understand correctly, when running with `--auth-method basic`, this https://github.com/sigoden/dufs/blob/4f3a8d275b7f2904ec2e16a0a8e54e4a9bec1986/src/auth.rs#L309-L315 is not comparing the password using constant time, which is not recommended according to https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#compare-password-hashes-using-safe-functions Maybe something like https://docs.rs/constant_time_eq/latest/constant_time_eq/ could be used instead, but I don't know much about rust ecosystem so I am can not really recommend any implementation. **Log** If applicable, add logs to help explain your problem. **Environment:** - Dufs version: 0.34.1 - Browser/Webdav Info: - OS Info:

zhus closed this issue 2026-05-28 23:33:00 +03:00

zhus commented 2026-05-28 23:33:01 +03:00

Author

Owner

Copy Link

Copy Source

@sigoden commented on GitHub (Jun 2, 2023):

This is over optimized

<!-- gh-comment-id:1573784178 --> @sigoden commented on GitHub (Jun 2, 2023): This is over optimized

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

v0.46.0

v0.46.0-rc3

v0.46.0-rc2

v0.46.0-rc1

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.0

v0.35.0

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.0

v0.27.0

v0.26.0

v0.25.0

v0.24.0

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.1

v0.17.0

v0.16.0

v0.15.1

v0.15.0

v0.14.0

v0.13.2

v0.13.1

v0.13.0

v0.12.1

v0.11.0

v0.10.1

v0.10.0

v0.9.0

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.4.0

v0.3.0

v0.2.1

v0.2.0

v0.1.0

Labels

Clear labels

bug

enhancement

help wanted

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

zhus (Sergey Zhukov)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sigoden/dufs#4928