playground
/
gogs
mirror of https://github.com/gogits/gogs.git
1
0
Fork 0
Code Issues Releases Activity
Browse Source

Safe compare password (timing attack) (#4064)

pull/3335/merge
Denis Denisov 8 years ago committed by 无闻
parent
9144ea2b1d
commit
84f28fc5d6
1 changed files with 2 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      models/user.go

3
models/user.go
Unescape View File

@ -8,6 +8,7 @@ import (
"bytes" "bytes"
"container/list" "container/list"
"crypto/sha256" "crypto/sha256"
"crypto/subtle"
"encoding/hex" "encoding/hex"
"errors" "errors"
"fmt" "fmt"
@ -324,7 +325,7 @@ func (u *User) EncodePasswd() {
func (u *User) ValidatePassword(passwd string) bool { func (u *User) ValidatePassword(passwd string) bool {
newUser := &User{Passwd: passwd, Salt: u.Salt} newUser := &User{Passwd: passwd, Salt: u.Salt}
newUser.EncodePasswd() newUser.EncodePasswd()
return u.Passwd == newUser.Passwd return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
} }
// UploadAvatar saves custom avatar for user. // UploadAvatar saves custom avatar for user.

Write Preview
Loading…
Cancel
Save