mirror
/
gitea
mirror of https://github.com/go-gitea/gitea
2
0
Fork 0
Code Issues Releases Wiki Activity

Safe compare password (timing attack) (#338)

Browse Source
pull/172/head
Denis Denisov 8 years ago committed by Lunny Xiao
parent db6a4e9fbf
commit c8f300b2cd
1 changed files with 2 additions and 1 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 3
      models/user.go

3
models/user.go
Unescape View File

@ -8,6 +8,7 @@ import (
"bytes"
"container/list"
"crypto/sha256"
"crypto/subtle"
"encoding/hex"
"errors"
"fmt"
@ -368,7 +369,7 @@ func (u *User) EncodePasswd() {
func (u *User) ValidatePassword(passwd string) bool {
newUser := &User{Passwd: passwd, Salt: u.Salt}
newUser.EncodePasswd()
return u.Passwd == newUser.Passwd
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
}
// UploadAvatar saves custom avatar for user.

Write Preview
Loading…
Cancel
Save