Skip to content

C
caddy
Commit 32825e8a authored by Matthew Holt's avatar Matthew Holt
Browse files
Options

basicauth: Patch timing vulnerability

parent cb8691a3
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 2 deletions
middleware/basicauth/basicauth.go
View file @ 32825e8a
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
package basicauth package basicauth
import ( import (
"crypto/subtle"
"net/http" "net/http"
"github.com/mholt/caddy/middleware" "github.com/mholt/caddy/middleware"
...@@ -34,10 +35,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error ...@@ -34,10 +35,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
hasAuth = true hasAuth = true
// Check credentials // Check credentials
if !ok || username != rule.Username || password != rule.Password { if !ok ||
username != rule.Username ||
subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
continue continue
} }
// flag set only on success authentication
// Flag set only on successful authentication
isAuthenticated = true isAuthenticated = true
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7