Upstream/harbor
1
0
Fork 0
mirror of https://github.com/goharbor/harbor.git synced 2024-11-29 21:54:13 +01:00
Code Issues Projects Releases Wiki Activity

(cherry-pick) Use subtle.ConstantTimeCompare instead of compare directly (#18710)

Browse Source 
Use subtle.ConstantTimeCompare instead of compare directly

Signed-off-by: stonezdj <daojunz@vmware.com>
This commit is contained in:
stonezdj(Daojun Zhang) 2023-05-23 21:02:25 +08:00 committed by GitHub
parent 1e616ad393
commit 31547ec593
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/jobservice/api/authenticator.go
View File

@ -15,6 +15,7 @@
package api package api
import ( import (
"crypto/subtle"
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
@ -66,7 +67,7 @@ func (sa *SecretAuthenticator) DoAuth(req *http.Request) error {
} }
expectedSecret := config.GetUIAuthSecret() expectedSecret := config.GetUIAuthSecret()
if expectedSecret != secret { if subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 {
return errors.New("unauthorized") return errors.New("unauthorized")
} }

3
src/registryctl/auth/secret.go
View File

@ -15,6 +15,7 @@
package auth package auth
import ( import (
"crypto/subtle"
"errors" "errors"
"net/http" "net/http"
"strings" "strings"
@ -54,7 +55,7 @@ func (s *secretHandler) AuthorizeRequest(req *http.Request) error {
secInReq := strings.TrimPrefix(auth, HarborSecret) secInReq := strings.TrimPrefix(auth, HarborSecret)
for _, v := range s.secrets { for _, v := range s.secrets {
if secInReq == v { if subtle.ConstantTimeCompare([]byte(secInReq), []byte(v)) == 1 {
return nil return nil
} }
} }