首页 发现 帮助
登录
LBP
/
miniflux_v2
镜像自地址 https://github.com/miniflux/v2.git
4
0
派生 0
文件 工单管理 0 Wiki
浏览代码

Use constant-time comparison for anti-csrf tokens

This is probably completely overkill, but since anti-csrf tokens are secrets,
they should be compared against untrusted inputs in constant time.
jvoisin 2 年之前
父节点
9fe99ce7fa
当前提交
d55b410800
共有 2 个文件被更改,包括 7 次插入1 次删除
分列视图 显示文件统计
  1. 5 0
      internal/crypto/crypto.go
  2. 2 1
      internal/ui/middleware.go

+ 5 - 0
internal/crypto/crypto.go
查看文件 

@@ -7,6 +7,7 @@ import (
 
 	"crypto/hmac"
 
 	"crypto/rand"
 
 	"crypto/sha256"
 
+	"crypto/subtle"
 
 	"encoding/base64"
 
 	"encoding/hex"
 
 	"fmt"
 
@@ -60,3 +61,7 @@ func GenerateUUID() string {
 
 	b := GenerateRandomBytes(16)
 
 	return fmt.Sprintf("%X-%X-%X-%X-%X", b[0:4], b[4:6], b[6:8], b[8:10], b[10:])
 
 }
 
+
 
+func ConstantTimeCmp(a, b string) bool {
 
+	return subtle.ConstantTimeCompare([]byte(a), []byte(b)) == 1
 
+}

+ 2 - 1
internal/ui/middleware.go
查看文件 

@@ -10,6 +10,7 @@ import (
 
 	"net/http"
 
 
 	"miniflux.app/v2/internal/config"
 
+	"miniflux.app/v2/internal/crypto"
 
 	"miniflux.app/v2/internal/http/cookie"
 
 	"miniflux.app/v2/internal/http/request"
 
 	"miniflux.app/v2/internal/http/response/html"
 
@@ -92,7 +93,7 @@ func (m *middleware) handleAppSession(next http.Handler) http.Handler {
 
 			formValue := r.FormValue("csrf")
 
 			headerValue := r.Header.Get("X-Csrf-Token")
 
 
-			if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
 
+			if !crypto.ConstantTimeCmp(session.Data.CSRF, formValue) && !crypto.ConstantTimeCmp(session.Data.CSRF, headerValue) {
 
 				slog.Warn("Invalid or missing CSRF token",
 
 					slog.Any("url", r.RequestURI),
 
 					slog.String("form_csrf", formValue),