From ec10d15217dcb3c682f289284756df1f36fc912e Mon Sep 17 00:00:00 2001
From: codl <codl@codl.fr>
Date: Fri, 15 Mar 2019 18:29:55 +0100
Subject: [PATCH] pad to avoid oracle attacks on /api/known_instances

---
 routes/api.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/routes/api.py b/routes/api.py
index 95a9673..4f35f17 100644
--- a/routes/api.py
+++ b/routes/api.py
@@ -4,6 +4,7 @@ from flask import jsonify, redirect, make_response, request, Response
 from model import Account
 import libforget.settings
 import libforget.json
+import random
 
 @app.route('/api/health_check')
 def health_check():
@@ -68,6 +69,10 @@ def known_instances():
         if not known:
             return Response('[]', 404, mimetype='application/json')
 
+        # pad to avoid oracle attacks
+        for _ in range(random.randint(0, 1000)):
+                known += random.choice((' ', '\t', '\n'))
+
         return Response(known, mimetype='application/json')
 
     elif request.method == 'DELETE':