mirror of https://github.com/k3s-io/k3s
239021e759
As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> |
||
---|---|---|
.. | ||
basicauth | ||
hash | ||
passwordfile | ||
authenticator.go |