@@ -8,6 +8,7 @@ import ( | |||
"bytes" | |||
"container/list" | |||
"crypto/sha256" | |||
"crypto/subtle" | |||
"encoding/hex" | |||
"errors" | |||
"fmt" | |||
@@ -368,7 +369,7 @@ func (u *User) EncodePasswd() { | |||
func (u *User) ValidatePassword(passwd string) bool { | |||
newUser := &User{Passwd: passwd, Salt: u.Salt} | |||
newUser.EncodePasswd() | |||
return u.Passwd == newUser.Passwd | |||
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1 | |||
} | |||
// UploadAvatar saves custom avatar for user. |