github
/
statping
mirror of https://github.com/statping/statping
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #324 from InnovativeInventor/master 

Fixed potential timing attack
pull/335/head
Hunter Long 2019-12-26 04:50:36 -08:00 committed by GitHub
parent fbae8a1867 76f85ebb2f
commit b534652064
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
handlers/handlers.go
View File

@ -16,19 +16,21 @@
package handlers
import (
"crypto/subtle"
"crypto/tls"
"encoding/json"
"fmt"
"github.com/gorilla/sessions"
"github.com/hunterlong/statping/core"
"github.com/hunterlong/statping/source"
"github.com/hunterlong/statping/types"
"github.com/hunterlong/statping/utils"
"html/template"
"net/http"
"os"
"strings"
"time"
"github.com/gorilla/sessions"
"github.com/hunterlong/statping/core"
"github.com/hunterlong/statping/source"
"github.com/hunterlong/statping/types"
"github.com/hunterlong/statping/utils"
)
const (
@ -105,14 +107,14 @@ func IsReadAuthenticated(r *http.Request) bool {
var token string
query := r.URL.Query()
key := query.Get("api")
if key == core.CoreApp.ApiKey {
if subtle.ConstantTimeCompare([]byte(key), []byte(core.CoreApp.ApiKey)) == 1 {
return true
}
tokens, ok := r.Header["Authorization"]
if ok && len(tokens) >= 1 {
token = tokens[0]
token = strings.TrimPrefix(token, "Bearer ")
if token == core.CoreApp.ApiKey {
if subtle.ConstantTimeCompare([]byte(token), []byte(core.CoreApp.ApiKey)) == 1 {
return true
}
}
@ -136,7 +138,7 @@ func IsFullAuthenticated(r *http.Request) bool {
if ok && len(tokens) >= 1 {
token = tokens[0]
token = strings.TrimPrefix(token, "Bearer ")
if token == core.CoreApp.ApiSecret {
if subtle.ConstantTimeCompare([]byte(token), []byte(core.CoreApp.ApiKey)) == 1 {
return true
}
}