Skip to content

Commit

Permalink
constant time comparsion for passwords in authmw (#11)
Browse files Browse the repository at this point in the history
  • Loading branch information
thorduri authored and groob committed Feb 1, 2018
1 parent f60ad55 commit be6fe7e
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion cmd/squirrel/serve.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"net/http"
"os"
"strings"
"crypto/subtle"

kitlog "github.com/go-kit/kit/log"
"github.com/go-kit/kit/log/level"
Expand Down Expand Up @@ -152,7 +153,7 @@ func printMunkiHeadersHelp(password string) {
func authMW(next http.Handler, repoPassword string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
_, password, ok := r.BasicAuth()
if !ok || password != repoPassword {
if !ok || subtle.ConstantTimeCompare([]byte(password), []byte(repoPassword)) != 1 {
w.Header().Set("WWW-Authenticate", `Basic realm="munki"`)
http.Error(w, "you need to log in", http.StatusUnauthorized)
return
Expand Down

0 comments on commit be6fe7e

Please sign in to comment.