routers: do not leak secrets via timing side channel (#7364)

* routers: do not leak secrets via timing side channel * routers/repo: do not leak secrets via timing side channel
author: leonklingele <5585491+leonklingele@users.noreply.github.com> 2019-07-06 19:03:13 +0200
committer: techknowlogick <techknowlogick@gitea.io> 2019-07-06 13:03:13 -0400
commit: ef57fe4ae3c517a0bb10b81a641fb76976f404d3 (patch)
tree: 7fdfcc4dd36e5ec89082e5fe87560b4bc9d8f2c0 /routers/repo
parent: 96b66e330b9a592093799a50219c8118de6951eb (diff)
download: gitea-ef57fe4ae3c517a0bb10b81a641fb76976f404d3.tar.gz
gitea-ef57fe4ae3c517a0bb10b81a641fb76976f404d3.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/routers/repo/pull.go b/routers/repo/pull.go
index 4c377bb364..cb4fa9547e 100644
--- a/routers/repo/pull.go
+++ b/routers/repo/pull.go
@@ -8,6 +8,7 @@ package repo
 
 import (
 	"container/list"
+	"crypto/subtle"
 	"fmt"
 	"io"
 	"path"
@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
 	if ctx.Written() {
 		return
 	}
-	if secret != base.EncodeMD5(owner.Salt) {
+	got := []byte(base.EncodeMD5(owner.Salt))
+	want := []byte(secret)
+	if subtle.ConstantTimeCompare(got, want) != 1 {
 		ctx.Error(404)
 		log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
 		return
author	leonklingele <5585491+leonklingele@users.noreply.github.com>	2019-07-06 19:03:13 +0200
committer	techknowlogick <techknowlogick@gitea.io>	2019-07-06 13:03:13 -0400
commit	ef57fe4ae3c517a0bb10b81a641fb76976f404d3 (patch)
tree	7fdfcc4dd36e5ec89082e5fe87560b4bc9d8f2c0 /routers/repo
parent	96b66e330b9a592093799a50219c8118de6951eb (diff)
download	gitea-ef57fe4ae3c517a0bb10b81a641fb76976f404d3.tar.gz gitea-ef57fe4ae3c517a0bb10b81a641fb76976f404d3.zip