From be6fe7e9994e1a1733e81f27c634594d8ebb4a12 Mon Sep 17 00:00:00 2001
From: Thordur Bjornsson <thorduri@users.noreply.github.com>
Date: Thu, 1 Feb 2018 22:02:32 +0100
Subject: [PATCH] constant time comparsion for passwords in authmw (#11)

---
 cmd/squirrel/serve.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd/squirrel/serve.go b/cmd/squirrel/serve.go
index b3d0db6..e767bde 100644
--- a/cmd/squirrel/serve.go
+++ b/cmd/squirrel/serve.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"crypto/subtle"
 
 	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
@@ -152,7 +153,7 @@ func printMunkiHeadersHelp(password string) {
 func authMW(next http.Handler, repoPassword string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		_, password, ok := r.BasicAuth()
-		if !ok || password != repoPassword {
+		if !ok || subtle.ConstantTimeCompare([]byte(password), []byte(repoPassword)) != 1 {
 			w.Header().Set("WWW-Authenticate", `Basic realm="munki"`)
 			http.Error(w, "you need to log in", http.StatusUnauthorized)
 			return