a
/
gosora
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Do constant time compares for sessions for security reasons.

This commit is contained in:
Azareal 2018-07-20 17:58:59 +10:00
parent e62f6a4868
commit 60bf821f8a
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/auth.go
View File

@ -250,7 +250,7 @@ func (auth *DefaultAuth) SessionCheck(w http.ResponseWriter, r *http.Request) (u
return &GuestUser, true
}
if user.Session == "" || session != user.Session {
if user.Session == "" || subtle.ConstantTimeCompare([]byte(session), []byte(user.Session)) != 1 {
return &GuestUser, false
}