forked from gitea/gitea
Safe compare password (timing attack) (#338)
This commit is contained in:
parent
db6a4e9fbf
commit
c8f300b2cd
|
@ -8,6 +8,7 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"container/list"
|
"container/list"
|
||||||
"crypto/sha256"
|
"crypto/sha256"
|
||||||
|
"crypto/subtle"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
@ -368,7 +369,7 @@ func (u *User) EncodePasswd() {
|
||||||
func (u *User) ValidatePassword(passwd string) bool {
|
func (u *User) ValidatePassword(passwd string) bool {
|
||||||
newUser := &User{Passwd: passwd, Salt: u.Salt}
|
newUser := &User{Passwd: passwd, Salt: u.Salt}
|
||||||
newUser.EncodePasswd()
|
newUser.EncodePasswd()
|
||||||
return u.Passwd == newUser.Passwd
|
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
|
||||||
}
|
}
|
||||||
|
|
||||||
// UploadAvatar saves custom avatar for user.
|
// UploadAvatar saves custom avatar for user.
|
||||||
|
|
Loading…
Reference in New Issue