Issue 2234 - Add a WSGI controller to collect email addresses for the Adblock Browser iOS launch

sitescripts/signing.py

Index: sitescripts/signing.py
===================================================================
new file mode 100644
--- /dev/null
+++ b/sitescripts/signing.py
@@ -0,0 +1,17 @@
+import hmac
+import hashlib
+
+from sitescripts.utils import get_config
+
+_SECRET = get_config().get('DEFAULT', 'secret')

[Wladimir Palant, 2015/04/23 16:04:40]

No, it should be .get('submit_email', 'secret') - the secret is specific to the
application. The fact that our example configuration puts it under DEFAULT
should probably be considered a bug, even though it works correctly that way.

[Sebastian Noack, 2015/04/23 16:29:41]

Done.

+
+def constant_time_compare(s1, s2):
+  if len(s1) != len(s2):
+    return False
+  return reduce(lambda a, b: a | b, (ord(c1) ^ ord(c2) for c1, c2 in zip(s1, s2))) == 0

[Wladimir Palant, 2015/04/23 16:04:40]

Do I get it correctly that you are trying to address timing attacks here? We are
comparing strings that are merely 32 characters long, and the potential attacker
isn't exactly sitting in front of our server. The comparison takes a bunch of
nanoseconds on my computer - that's several magnitudes smaller than the
variation introduced by the HTTP processing (never mind the network). You don't
need to overthink this...

Without this function this module isn't justified and I don't think we should
have it.

[Sebastian Noack, 2015/04/23 16:29:41]

Sure, that was the idea. But fair enough.

+
+def sign(data):
+  return hmac.new(_SECRET, data, hashlib.sha1).hexdigest()
+  
+def verify(data, signature):
+  return constant_time_compare(sign(data), signature)