Windows server needs security token support
Closed this issue · 2 comments
Currently, the Windows server does not support the security token. It should be an easy fix, but I really don't have time to learn Haskell at the moment, despite it being on my todo list. Each RPC comes with a security_token, and the server must be able to configure one. Then, if they don't match (please be sure to use a string comparison function that takes the same amount of time regardless of the number of matching characters), rejects the RPC.
I have added a note to the README warning against its use until this is resolved, but have made the decision that as a fairly obscure accessibility project that some people really need, it will do less harm to continue to make the vulnerable server available despite the serious security issue. I'm not sure if the Windows server gets much use, but I wanted to be consistent here.
If anyone wants to tackle this, I could probably find a friend who knows Haskell willing to review your code.