mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-28 13:49:13 -05:00
2 lines
617 B
Markdown
2 lines
617 B
Markdown
|
Forgejo generates a token which is used to authenticate web endpoints that are only meant to be used internally, for instance when the SSH daemon is used to push a commit with Git. The verification of this token was not done in constant time and was susceptible to [timing attacks](https://en.wikipedia.org/wiki/Timing_attack). A pre-condition for such an attack is the precise measurements of the time for each operation. Since it requires observing the timing of network operations, the issue is mitigated when a Forgejo instance is accessed over the internet because the ISP introduce unpredictable random delays.
|