Infrastructure/caddy
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
Code Issues Activity

basicauth: Patch timing vulnerability

Browse source
This commit is contained in:
Matthew Holt 2015-05-29 23:08:01 -06:00
parent cb8691a381
commit 32825e8a79
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
middleware/basicauth/basicauth.go
View file

@ -2,6 +2,7 @@
package basicauth package basicauth
import ( import (
"crypto/subtle"
"net/http" "net/http"
"github.com/mholt/caddy/middleware" "github.com/mholt/caddy/middleware"
@ -34,10 +35,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
hasAuth = true hasAuth = true
// Check credentials // Check credentials
if !ok || username != rule.Username || password != rule.Password { if !ok ||
username != rule.Username ||
subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
continue continue
} }
// flag set only on success authentication
// Flag set only on successful authentication
isAuthenticated = true isAuthenticated = true
} }
} }