From 5a6ed2ffdf9a6131c357c77e98ef0ac26d628aee Mon Sep 17 00:00:00 2001
From: Michael Eischer <michael.eischer@fau.de>
Date: Sat, 27 Mar 2021 17:38:11 +0100
Subject: [PATCH] use constant time comparison for sha1 password hash

---
 htpasswd.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/htpasswd.go b/htpasswd.go
index 7c700d9..048a6c8 100644
--- a/htpasswd.go
+++ b/htpasswd.go
@@ -254,7 +254,7 @@ func (h *HtpasswdFile) Validate(user string, password string) bool {
 	case shaRe.MatchString(realPassword):
 		d := sha1.New()
 		_, _ = d.Write([]byte(password))
-		if realPassword[5:] == base64.StdEncoding.EncodeToString(d.Sum(nil)) {
+		if subtle.ConstantTimeCompare([]byte(realPassword[5:]), []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) == 1 {
 			isValid = true
 		}
 	case bcrRe.MatchString(realPassword):