diff options
| author | Runxi Yu <me@runxiyu.org> | 2025-04-11 21:33:16 +0800 |
|---|---|---|
| committer | Runxi Yu <me@runxiyu.org> | 2025-04-11 21:33:16 +0800 |
| commit | bae338623d587691b30047972247feba0f38ec8e (patch) | |
| tree | e4626354e21058f1cf36882516c792dd2fd8ddc7 /README.md | |
| parent | Note on demo instance (diff) | |
| download | powxy-bae338623d587691b30047972247feba0f38ec8e.tar.gz powxy-bae338623d587691b30047972247feba0f38ec8e.tar.zst powxy-bae338623d587691b30047972247feba0f38ec8e.zip | |
README.md: Note possibility of length-extension attacks
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -53,7 +53,6 @@ program provided near the HTML form, and submit their nonce manually. - We should allow Git clients and RSS readers. - If a user is attempting to submit a POST request but their powxy cookie is invalid, powxy would redirect them to a challenge, and their POST data will - be lost. - It does not work when duplex connections are needed, e.g. with Git's Smart HTTP protocol. @@ -63,6 +62,8 @@ program provided near the HTML form, and submit their nonce manually. what be a good solution though, it'd be nice to have something that's more memory-hard, but password-based key derivation functions are too heavy on the server. +- If we stay with SHA-256, an HMAC or prepending solutions should be used + instead of simply appending things; might have issues with length-extension. - Safari on iOS and iPadOS seem to unpredictably make their requests from different address families, which causes the challenge to fail. - Unix domain sockets. |