vh/rest-server
1
0
Fork 0
mirror of https://github.com/restic/rest-server.git synced 2025-12-07 09:36:13 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

use constant time comparison for sha1 password hash

Browse Source
This commit is contained in:
Michael Eischer
2021-03-27 17:38:11 +01:00
committed by Leo R. Lundgren
parent 46b020fd9e
commit 5a6ed2ffdf
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
htpasswd.go
View File

@@ -254,7 +254,7 @@ func (h *HtpasswdFile) Validate(user string, password string) bool {
case shaRe.MatchString(realPassword): case shaRe.MatchString(realPassword):
d := sha1.New() d := sha1.New()
_, _ = d.Write([]byte(password)) _, _ = d.Write([]byte(password))
if realPassword[5:] == base64.StdEncoding.EncodeToString(d.Sum(nil)) { if subtle.ConstantTimeCompare([]byte(realPassword[5:]), []byte(base64.StdEncoding.EncodeToString(d.Sum(nil)))) == 1 {
isValid = true isValid = true
} }
case bcrRe.MatchString(realPassword): case bcrRe.MatchString(realPassword):