diff options
| author | Denis Denisov <denji@users.noreply.github.com> | 2016-12-03 07:49:17 +0200 |
|---|---|---|
| committer | Lunny Xiao <xiaolunwen@gmail.com> | 2016-12-03 13:49:17 +0800 |
| commit | c8f300b2cdc6f00ba1aeb98c51a534f18474b895 (patch) | |
| tree | 68ae343a5167f9d75f26a511c4daccc6ace3d4a9 /models/user.go | |
| parent | db6a4e9fbf7ba854862c597f0ed7f606e8ff9557 (diff) | |
| download | gitea-c8f300b2cdc6f00ba1aeb98c51a534f18474b895.tar.gz gitea-c8f300b2cdc6f00ba1aeb98c51a534f18474b895.zip | |
Safe compare password (timing attack) (#338)
Diffstat (limited to 'models/user.go')
| -rw-r--r-- | models/user.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/models/user.go b/models/user.go index 41fdf0b024..40afc48491 100644 --- a/models/user.go +++ b/models/user.go @@ -8,6 +8,7 @@ import ( "bytes" "container/list" "crypto/sha256" + "crypto/subtle" "encoding/hex" "errors" "fmt" @@ -368,7 +369,7 @@ func (u *User) EncodePasswd() { func (u *User) ValidatePassword(passwd string) bool { newUser := &User{Passwd: passwd, Salt: u.Salt} newUser.EncodePasswd() - return u.Passwd == newUser.Passwd + return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1 } // UploadAvatar saves custom avatar for user. |