basicauth: Patch timing vulnerability

32825e8a · Matthew Holt · cb8691a3 · 32825e8a
Commit 32825e8a authored May 29, 2015 by Matthew Holt
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

middleware/basicauth/basicauth.go middleware/basicauth/basicauth.go +6 -2

No files found.
--- a/middleware/basicauth/basicauth.go
+++ b/middleware/basicauth/basicauth.go
@@ -2,6 +2,7 @@
 package basicauth

 import (
+	"crypto/subtle"
 	"net/http"

 	"github.com/mholt/caddy/middleware"
@@ -34,10 +35,13 @@ func (a BasicAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error
 			hasAuth = true

 			// Check credentials
-			if !ok || username != rule.Username || password != rule.Password {
+			if !ok ||
+				username != rule.Username ||
+				subtle.ConstantTimeCompare([]byte(password), []byte(rule.Password)) != 1 {
 				continue
 			}
-			// flag set only on success authentication
+
+			// Flag set only on successful authentication
 			isAuthenticated = true
 		}
 	}