routers: do not leak secrets via timing side channel (#7364)
* routers: do not leak secrets via timing side channel * routers/repo: do not leak secrets via timing side channel
This commit is contained in:
leonklingele
techknowlogick
parent
96b66e330b
commit
ef57fe4ae3
2 changed files with 9 additions and 2 deletions
|
|
@ -5,6 +5,8 @@
|
|||
package routers
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
|
||||
"github.com/prometheus/client_golang/prometheus/promhttp"
|
||||
|
||||
"code.gitea.io/gitea/modules/context"
|
||||
|
|
@ -22,7 +24,9 @@ func Metrics(ctx *context.Context) {
|
|||
ctx.Error(401)
|
||||
return
|
||||
}
|
||||
if header != "Bearer "+setting.Metrics.Token {
|
||||
got := []byte(header)
|
||||
want := []byte("Bearer " + setting.Metrics.Token)
|
||||
if subtle.ConstantTimeCompare(got, want) != 1 {
|
||||
ctx.Error(401)
|
||||
return
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ package repo
|
|||
|
||||
import (
|
||||
"container/list"
|
||||
"crypto/subtle"
|
||||
"fmt"
|
||||
"io"
|
||||
"path"
|
||||
|
|
@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
|
|||
if ctx.Written() {
|
||||
return
|
||||
}
|
||||
if secret != base.EncodeMD5(owner.Salt) {
|
||||
got := []byte(base.EncodeMD5(owner.Salt))
|
||||
want := []byte(secret)
|
||||
if subtle.ConstantTimeCompare(got, want) != 1 {
|
||||
ctx.Error(404)
|
||||
log.Trace("TriggerTask [%s/%s]: invalid secret", owner.Name, repo.Name)
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in a new issue