Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

basic auth: fix timing oracle #2609

Merged
merged 2 commits into from Jan 13, 2021
Merged

basic auth: fix timing oracle #2609

merged 2 commits into from Jan 13, 2021

Conversation

@Snawoot
Copy link
Contributor

@Snawoot Snawoot commented Jan 12, 2021

Fix #2226

I've read discussion in #2226, but there are few reasons to consider on behalf of merge of this PR:

  • It's pretty easy to fix it
  • Even if Basic Auth should not be considered as a secure auth method, it will be often misused in the wild. It'll be hard to make people using basic auth middleware always make informed decision.
  • There are cases like server to server integration via HTTPS where basic auth is just good enough.
@codecov
Copy link

@codecov codecov bot commented Jan 12, 2021

Codecov Report

Merging #2609 (705955b) into master (46ddd42) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #2609   +/-   ##
=======================================
  Coverage   98.64%   98.64%           
=======================================
  Files          41       41           
  Lines        1989     1989           
=======================================
  Hits         1962     1962           
  Misses         15       15           
  Partials       12       12           
Impacted Files Coverage Δ
auth.go 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 46ddd42...705955b. Read the comment docs.

@thinkerou thinkerou requested review from thinkerou and appleboy Jan 13, 2021
@thinkerou thinkerou added this to the 1.7 milestone Jan 13, 2021
Copy link
Member

@thinkerou thinkerou left a comment

lgtm

@thinkerou thinkerou merged commit b01605b into gin-gonic:master Jan 13, 2021
3 checks passed
@Snawoot Snawoot deleted the fix_basic_auth_timing_oracle branch Jan 13, 2021
RK-GCP added a commit to RK-GCP/gin that referenced this issue Mar 18, 2021
* Revert "Adding ppc64le architecture support on travis-ci (gin-gonic#2538)" (gin-gonic#2602)

* test: fixed the TestUnixSocket test on windows (gin-gonic#2595)

Co-authored-by: thinkerou <thinkerou@gmail.com>

* gin mode unknown: show available mode (gin-gonic#2567)

Co-authored-by: thinkerou <thinkerou@gmail.com>

* fix error gin support min Go version (gin-gonic#2584)

Co-authored-by: thinkerou <thinkerou@gmail.com>

* Fixes to the graceful shutdown example (gin-gonic#2552)

* Change error comparison to use errors.Is() and add a line of whitespace before the if statement on graceful shutdown

* Change from log.Fatalf to log.Printf to ensure the graceful shutdown actually works

Co-authored-by: J. J. Bigorra <josep@prowarehouse.nl>
Co-authored-by: thinkerou <thinkerou@gmail.com>

* basic auth: fix timing oracle (gin-gonic#2609)

Co-authored-by: thinkerou <thinkerou@gmail.com>

* chore: Deleted spaces (gin-gonic#2622)

* Remove the tedious named return value (gin-gonic#2620)

Co-authored-by: thinkerou <thinkerou@gmail.com>

Co-authored-by: thinkerou <thinkerou@gmail.com>
Co-authored-by: Jeff <laojianzi1994@gmail.com>
Co-authored-by: Rubi <14269809+codenoid@users.noreply.github.com>
Co-authored-by: Qt <golang.chen@gmail.com>
Co-authored-by: Josep Jesus Bigorra Algaba <42377845+averageflow@users.noreply.github.com>
Co-authored-by: J. J. Bigorra <josep@prowarehouse.nl>
Co-authored-by: Snawoot <vladislav-ex-github@vm-0.com>
Co-authored-by: Alexander Melentyev <55826637+alexander-melentyev@users.noreply.github.com>
Co-authored-by: Andy Pan <panjf2000@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

2 participants