mirror
/
gin
mirror of https://github.com/gin-gonic/gin.git
1
0
Fork 1
Code Issues Packages Projects Releases Wiki Activity

basic auth: fix timing oracle (#2609) 

Co-authored-by: thinkerou <thinkerou@gmail.com>
This commit is contained in:
Snawoot 2021-01-13 03:40:37 +02:00 committed by GitHub
parent 46ddd4259c
commit b01605bb5b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
auth.go
View File

@ -5,6 +5,7 @@
package gin
import (
"crypto/subtle"
"encoding/base64"
"net/http"
"strconv"
@ -30,7 +31,7 @@ func (a authPairs) searchCredential(authValue string) (string, bool) {
return "", false
}
for _, pair := range a {
if pair.value == authValue {
if subtle.ConstantTimeCompare([]byte(pair.value), []byte(authValue)) == 1 {
return pair.user, true
}
}