diff options
| author | Denis Denisov <denji@users.noreply.github.com> | 2017-01-28 20:28:52 +0200 |
|---|---|---|
| committer | 无闻 <u@gogs.io> | 2017-01-28 13:28:52 -0500 |
| commit | 84f28fc5d667a24caf24a000047c4af6efe1af16 (patch) | |
| tree | f2598da72e2d99968ed1a14bca6f15fbf549c70d /models | |
| parent | 9144ea2b1db337bd20c32d78bb41493e79f5cb06 (diff) | |
Safe compare password (timing attack) (#4064)
Diffstat (limited to 'models')
| -rw-r--r-- | models/user.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/models/user.go b/models/user.go index f01f8b2a..18221756 100644 --- a/models/user.go +++ b/models/user.go @@ -8,6 +8,7 @@ import ( "bytes" "container/list" "crypto/sha256" + "crypto/subtle" "encoding/hex" "errors" "fmt" @@ -324,7 +325,7 @@ func (u *User) EncodePasswd() { func (u *User) ValidatePassword(passwd string) bool { newUser := &User{Passwd: passwd, Salt: u.Salt} newUser.EncodePasswd() - return u.Passwd == newUser.Passwd + return subtle.ConstantTimeCompare([]byte(u.Passwd), []byte(newUser.Passwd)) == 1 } // UploadAvatar saves custom avatar for user. |