mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-23 22:27:38 -05:00
basicauth: Patch timing vulnerability
This commit is contained in:
Matthew Holt
parent
cb8691a381
commit
32825e8a79
1 changed files with 6 additions and 2 deletions
|
|
@ -2,6 +2,7 @@
|
|||
package basicauth
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"net/http"
|
||||
|
||||
"github.com/mholt/caddy/middleware"
|
||||
|
|
@ -34,10 +35,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
|
|||
hasAuth = true
|
||||
|
||||
// Check credentials
|
||||
if !ok || username != rule.Username || password != rule.Password {
|
||||
if !ok ||
|
||||
username != rule.Username ||
|
||||
subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
|
||||
continue
|
||||
}
|
||||
// flag set only on success authentication
|
||||
|
||||
// Flag set only on successful authentication
|
||||
isAuthenticated = true
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue