Stowage/rest-server
2
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-10-19 15:43:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

use constant time comparison for sha1 password hash

Browse source
This commit is contained in:
Michael Eischer 2021-03-27 17:38:11 +01:00 committed by Leo R. Lundgren
parent 46b020fd9e
commit 5a6ed2ffdf
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
htpasswd.go
View file

@ -254,7 +254,7 @@ func (h *HtpasswdFile) Validate(user string, password string) bool {
case shaRe.MatchString(realPassword):
d := sha1.New()
_, _ = d.Write([]byte(password))
if realPassword[5:] == base64.StdEncoding.EncodeToString(d.Sum(nil)) {
if subtle.ConstantTimeCompare([]byte(realPassword[5:]), []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) == 1 {
isValid = true
}
case bcrRe.MatchString(realPassword):