Give the same error if the username doesn't exist or if the password
is wrong. If we deliver separate errors, we tell the attacker whether
they've picked a valid password or not.
Also, if username doesn't exist, hash the password anyway to avoid
this timing side-channel attack:
1. Invalid Username:
A. User tries to log in with invalid username.
B. User name is not found in database.
C. Password is never hashed.
2. Invalid Password:
A. User tries to log in with valid username.
B. User name is found in database.
C. Password is hashed.
Given that proper password hashing will take a minute, *not* hashing
the password takes so much less time that we've effectively indicated
to the attacker that the username didn't exist, regardless of the
error message. This way, no such error occurs.
f1e764f2e5728113f191456236d02fdae6e7680a
Partially revert the EM integration change, it's not solid yet. This
allows EM to grow on its own. However, I'm not reverting the whole
change because I want to make it easy to use EM from an external
repository, and most of the Plinth-specific changes are good. To use
EM in Plinth again, make sure EM and Plinth are in the same directory
before running start.sh. The directory structure should look like:
./exmachina/
./plinth/
start.sh updates Python's path correctly, so this change should be
transparent and Plinth should still run the same.
- add exmachina code and test code
- modify plinth.py to listen for shared secret on stdin at start
(if appropriate flag is set) and try to connect to exmachina daemon
- use exmachina to read and set /etc/hostname as a demo
- update plinth init.d script to start exmachina and share keys
- update docs with new deps and run instructions
Removed robots.txt (we have "noindex,nofollow" in the template meta tags, do we need this?)
Added meta noindex,nofollow,noarchive tags for specific robots (googlebot etc.)
Removed extraneous meta tags useful only for indexing
Removed HTML5-Reset "_" directory. Not sure why it's useful to add an ambiguous folder to the directory tree.
Made sure no Google-y code wasn't included (analytics, remote copy of JQuery, etc.)
Fixed symbolic link docs/style.css
New favicon and iOS "web clip" button
