Safe compare password (timing attack) (#338)
This commit is contained in:
parent
db6a4e9fbf
commit
c8f300b2cd
1 changed files with 2 additions and 1 deletions
|
@ -8,6 +8,7 @@ import (
|
|||
"bytes"
|
||||
"container/list"
|
||||
"crypto/sha256"
|
||||
"crypto/subtle"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
@ -368,7 +369,7 @@ func (u *User) EncodePasswd() {
|
|||
func (u *User) ValidatePassword(passwd string) bool {
|
||||
newUser := &User{Passwd: passwd, Salt: u.Salt}
|
||||
newUser.EncodePasswd()
|
||||
return u.Passwd == newUser.Passwd
|
||||
return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1
|
||||
}
|
||||
|
||||
// UploadAvatar saves custom avatar for user.
|
||||
|
|
Reference in a new issue