mirror of
https://github.com/goharbor/harbor.git
synced 2025-01-23 16:11:24 +01:00
Use subtle.ConstantTimeCompare instead of compare directly (#18697)
Signed-off-by: stonezdj <daojunz@vmware.com>
This commit is contained in:
parent
ac70a14397
commit
9d042ad585
@ -15,6 +15,7 @@
|
||||
package api
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
@ -66,7 +67,7 @@ func (sa *SecretAuthenticator) DoAuth(req *http.Request) error {
|
||||
}
|
||||
|
||||
expectedSecret := config.GetUIAuthSecret()
|
||||
if expectedSecret != secret {
|
||||
if subtle.ConstantTimeCompare([]byte(expectedSecret), []byte(secret)) == 0 {
|
||||
return errors.New("unauthorized")
|
||||
}
|
||||
|
||||
|
@ -15,6 +15,7 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto/subtle"
|
||||
"errors"
|
||||
"net/http"
|
||||
"strings"
|
||||
@ -54,7 +55,7 @@ func (s *secretHandler) AuthorizeRequest(req *http.Request) error {
|
||||
secInReq := strings.TrimPrefix(auth, HarborSecret)
|
||||
|
||||
for _, v := range s.secrets {
|
||||
if secInReq == v {
|
||||
if subtle.ConstantTimeCompare([]byte(secInReq), []byte(v)) == 1 {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user