Github user pyr commented on the pull request:
https://github.com/apache/cloudstack/pull/65#issuecomment-69926943
thanks @bhaisaab
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this featur
Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/65#issuecomment-69926558
Tested locally on master, works for me. Thanks for your contribution @pyr
---
If your project is set up for it, you can reply to this email and have your
reply appea
Github user asfgit closed the pull request at:
https://github.com/apache/cloudstack/pull/65
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is e
Github user pyr commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/65#discussion_r22930247
--- Diff: server/src/com/cloud/api/ConstantTimeComparator.java ---
@@ -0,0 +1,36 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// o
Github user bhaisaab commented on the pull request:
https://github.com/apache/cloudstack/pull/65#issuecomment-69899701
LGTM, let me test it. I can help backport it to 4.3/4.4, it's a good fix.
---
If your project is set up for it, you can reply to this email and have your
reply appear
Github user bhaisaab commented on a diff in the pull request:
https://github.com/apache/cloudstack/pull/65#discussion_r22929307
--- Diff: server/src/com/cloud/api/ConstantTimeComparator.java ---
@@ -0,0 +1,36 @@
+// Licensed to the Apache Software Foundation (ASF) under one
I'll note here that this can be applied to 4.4 and 4.3 as well, modulo some
simple changes.
On Wed, Jan 14, 2015 at 11:32 AM, pyr wrote:
> GitHub user pyr opened a pull request:
>
> https://github.com/apache/cloudstack/pull/65
>
> Use constant-time comparison functions when checking sign
GitHub user pyr opened a pull request:
https://github.com/apache/cloudstack/pull/65
Use constant-time comparison functions when checking signatures
This limits the likeliness of timing attacks against the API.
See http://codahale.com/a-lesson-in-timing-attacks/ for the
full r