use constant time comparison for sha1 password hash

2025-12-06 17:15:45 -08:00 · 2021-03-27 17:38:11 +01:00
parent 46b020fd9e
commit 5a6ed2ffdf
1 changed files with 1 additions and 1 deletions
--- a/htpasswd.go
+++ b/htpasswd.go
@@ -254,7 +254,7 @@ func (h *HtpasswdFile) Validate(user string, password string) bool {
 	case shaRe.MatchString(realPassword):
 		d := sha1.New()
 		_, _ = d.Write([]byte(password))
-		if realPassword[5:] == base64.StdEncoding.EncodeToString(d.Sum(nil)) {
+		if subtle.ConstantTimeCompare([]byte(realPassword[5:]), []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) == 1 {
 			isValid = true
 		}
 	case bcrRe.MatchString(realPassword):