Call verifyPassword even if user does not exist.

Address timing attack caused by not doing the password check if the
user doesn't exist. Can expose valid usernames. Really only useful for
a tracker that doesn't allow anonymous access to issues. Issues
usually show usernames as part of the message display.

Author: rouilj

CHANGES.txt

@@ -73,6 +73,9 @@ Fixed:
 - issue2551108 - fix handling of designator links when formatted
   as markdown links. (Reported by Cedric Krier; John Rouillard)
 - Fix filename created from mail attachments, fixes issue2551118
+- Call verifyPassword even if user does not exist. Address timing
+  attack to discover valid account names. Useful where anonymous user
+  is not allowed access. (John Rouillard)
 
 Features:
 - issue2550522 - Add 'filter' command to command-line

roundup/cgi/actions.py

@@ -1357,6 +1357,11 @@ def verifyLogin(self, username, password):
         try:
             self.client.userid = self.db.user.lookup(username)
         except KeyError:
+            # Perform password check against anonymous user.
+            # Prevents guessing of valid usernames by detecting
+            # delay caused by checking password only on valid
+            # users.
+            _discard = self.verifyPassword("2", password)
             raise exceptions.LoginError(self._('Invalid login'))
 
         # verify the password