From ce23442f4b08391d765c9a4e9fef660d51160728 Mon Sep 17 00:00:00 2001
From: jesopo <github@lolnerd.net>
Date: Tue, 12 Feb 2019 11:59:38 +0000
Subject: [PATCH] Use constant-time compare in permissions.py for password
 identifying

---
 modules/permissions.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/permissions.py b/modules/permissions.py
index e24f6ea0..e620f46f 100644
--- a/modules/permissions.py
+++ b/modules/permissions.py
@@ -67,7 +67,7 @@ class Module(ModuleManager.BaseModule):
             hash, salt = self._get_hash(event["server"], account)
             if hash and salt:
                 attempt, _ = self._make_hash(password, salt)
-                if attempt == hash:
+                if utils.security.constant_time_compare(attempt, hash):
                     self._identified(event["server"], event["user"], account)
                     event["stdout"].write("Correct password, you have "
                         "been identified as '%s'." % account)