From 32825e8a7955b70c05141c755bf7660c5332f738 Mon Sep 17 00:00:00 2001
From: Matthew Holt <Matthew.Holt+git@gmail.com>
Date: Fri, 29 May 2015 23:08:01 -0600
Subject: [PATCH] basicauth: Patch timing vulnerability

---
 middleware/basicauth/basicauth.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/middleware/basicauth/basicauth.go b/middleware/basicauth/basicauth.go
index bb39876d..221446a2 100644
--- a/middleware/basicauth/basicauth.go
+++ b/middleware/basicauth/basicauth.go
@@ -2,6 +2,7 @@
 package basicauth
 
 import (
+	"crypto/subtle"
 	"net/http"
 
 	"github.com/mholt/caddy/middleware"
@@ -34,10 +35,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
 			hasAuth = true
 
 			// Check credentials
-			if !ok || username != rule.Username || password != rule.Password {
+			if !ok ||
+				username != rule.Username ||
+				subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
 				continue
 			}
-			// flag set only on success authentication
+
+			// Flag set only on successful authentication
 			isAuthenticated = true
 		}
 	}