flowerone
commented
6 months ago 您发给我的邮件我已经收到。=================================================== This is an automatic reply, confirming that your e-mail was received.Thank you
Open nevercodecorrect opened 6 months ago
flowerone
commented
6 months ago 您发给我的邮件我已经收到。=================================================== This is an automatic reply, confirming that your e-mail was received.Thank you
Expected behavior
The vulnerable code is here, the password comparison should use a constant time algorithm
Actual behavior
The vulnerable code is here. An attacker could leverage the differences between the execution time to recover the secrets. String comparison == is not a constant implementation, the execution time may vary based on how many characters are matched. A constant-time implementation would be recommended. A more detailed explanation could be found here