From 84f28fc5d667a24caf24a000047c4af6efe1af16 Mon Sep 17 00:00:00 2001
From: Denis Denisov <denji@users.noreply.github.com>
Date: Sat, 28 Jan 2017 20:28:52 +0200
Subject: [PATCH] Safe compare password (timing attack) (#4064)

---
 models/user.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/models/user.go b/models/user.go
index f01f8b2a6..18221756c 100644
--- a/models/user.go
+++ b/models/user.go
@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"container/list"
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/hex"
 	"errors"
 	"fmt"
@@ -324,7 +325,7 @@ func (u *User) EncodePasswd() {
 func (u *User) ValidatePassword(passwd string) bool {
 	newUser := &User{Passwd: passwd, Salt: u.Salt}
 	newUser.EncodePasswd()
-	return u.Passwd == newUser.Passwd
+	return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
 }
 
 // UploadAvatar saves custom avatar for user.