a
/
gosora
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use constant time comparisons for sessions in forms.

This commit is contained in:
Azareal 2019-08-30 20:59:50 +10:00
parent ddb917761f
commit c309faf79f
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
common/routes_common.go
View File

@ -10,6 +10,7 @@ import (
"os" "os"
"io" "io"
"regexp" "regexp"
"crypto/subtle"
"github.com/Azareal/Gosora/common/phrases" "github.com/Azareal/Gosora/common/phrases"
) )
@ -470,7 +471,11 @@ func NoSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteE
if err != nil { if err != nil {
return LocalError("Bad Form", w, r, user) return LocalError("Bad Form", w, r, user)
} }
if r.FormValue("session") != user.Session && r.FormValue("s") != user.Session { sess := []byte(user.Session)
if len(sess) == 0 {
return SecurityError(w, r, user)
}
if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
return SecurityError(w, r, user) return SecurityError(w, r, user)
} }
return nil return nil
@ -496,7 +501,11 @@ func HandleUploadRoute(w http.ResponseWriter, r *http.Request, user User, maxFil
} }
func NoUploadSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteError { func NoUploadSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteError {
if r.FormValue("session") != user.Session && r.FormValue("s") != user.Session { sess := []byte(user.Session)
if len(sess) == 0 {
return SecurityError(w, r, user)
}
if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
return SecurityError(w, r, user) return SecurityError(w, r, user)
} }
return nil return nil