USEFULL
/
gogs
mirror of https://github.com/gogs/gogs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Safe compare password (timing attack) (#4064)

pull/3335/merge
Denis Denisov 2017-01-28 20:28:52 +02:00 committed by 无闻
parent 9144ea2b1d
commit 84f28fc5d6
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
models/user.go
View File

@ -8,6 +8,7 @@ import (
"bytes" "bytes"
"container/list" "container/list"
"crypto/sha256" "crypto/sha256"
"crypto/subtle"
"encoding/hex" "encoding/hex"
"errors" "errors"
"fmt" "fmt"
@ -324,7 +325,7 @@ func (u *User) EncodePasswd() {
func (u *User) ValidatePassword(passwd string) bool { func (u *User) ValidatePassword(passwd string) bool {
newUser := &User{Passwd: passwd, Salt: u.Salt} newUser := &User{Passwd: passwd, Salt: u.Salt}
newUser.EncodePasswd() newUser.EncodePasswd()
return u.Passwd == newUser.Passwd return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
} }
// UploadAvatar saves custom avatar for user. // UploadAvatar saves custom avatar for user.