summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/admin.py4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/admin.py b/src/admin.py
index 4dc8b6c..f419dee 100644
--- a/src/admin.py
+++ b/src/admin.py
@@ -1,5 +1,6 @@
import datetime
import hashlib
+import secrets
import uuid
import marko
@@ -94,8 +95,7 @@ async def login():
if form:
password = hashlib.sha256(form["password"].encode()).hexdigest()
- # FIXME: this is insecure due to timing attacks. use a library for this comparison.
- if password == q.current_app.config["ADMIN_PASSWORD"]:
+ if secrets.compare_digest(password, q.current_app.config["ADMIN_PASSWORD"]):
async with pool.acquire() as conn:
ids = await conn.fetch(
"INSERT INTO admin_logins (ipaddr) VALUES ($1) RETURNING id;",
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-25 00:55:05 +0000