1
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-23 22:27:38 -05:00
caddy/modules/caddyhttp/caddyauth
Matthew Holt 937ec34201
caddyauth: Prevent user enumeration by timing
Always follow the code path of hashing and comparing a plaintext
password even if the account is not found by the given username; this
ensures that similar CPU cycles are spent for both valid and invalid
usernames.

Thanks to @tylerlm for helping and looking into this!
2020-10-31 10:51:05 -06:00
..
basicauth.go caddyauth: Prevent user enumeration by timing 2020-10-31 10:51:05 -06:00
caddyauth.go httpcaddyfile: Don't lowercase placeholder contents (fixes #3264) 2020-04-14 16:11:46 -06:00
caddyfile.go caddyhttp: Add client cert SAN placeholders 2020-06-11 16:19:07 -06:00
command.go caddyauth: Prevent user enumeration by timing 2020-10-31 10:51:05 -06:00
hashes.go caddyauth: Prevent user enumeration by timing 2020-10-31 10:51:05 -06:00