Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

routers: do not leak secrets via timing side channel #7364

Merged

Conversation

@leonklingele
Copy link
Contributor

commented Jul 5, 2019

No description provided.

leonklingele added some commits Jul 5, 2019

@@ -771,7 +772,9 @@ func TriggerTask(ctx *context.Context) {
if ctx.Written() {
return
}
if secret != base.EncodeMD5(owner.Salt) {
got := []byte(base.EncodeMD5(owner.Salt))

This comment has been minimized.

Copy link
@leonklingele

leonklingele Jul 6, 2019

Author Contributor

Why does this

  1. use md5?
  2. use owner's salt instead of some secret?

And who calls this API? Couldn't find any callers inside gitea itself.

@GiteaBot GiteaBot added the lgtm/need 2 label Jul 6, 2019

@GiteaBot GiteaBot added lgtm/need 1 and removed lgtm/need 2 labels Jul 6, 2019

@codecov-io

This comment has been minimized.

Copy link

commented Jul 6, 2019

Codecov Report

Merging #7364 into master will increase coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #7364      +/-   ##
==========================================
+ Coverage   41.24%   41.25%   +<.01%     
==========================================
  Files         467      467              
  Lines       63291    63295       +4     
==========================================
+ Hits        26107    26111       +4     
+ Misses      33769    33768       -1     
- Partials     3415     3416       +1
Impacted Files Coverage Δ
routers/metrics.go 0% <0%> (ø) ⬆️
routers/repo/pull.go 31.62% <0%> (-0.09%) ⬇️
modules/process/manager.go 76.81% <0%> (-4.35%) ⬇️
models/repo_list.go 72.08% <0%> (-1.02%) ⬇️
models/gpg_key.go 56.66% <0%> (+0.83%) ⬆️
routers/repo/view.go 43.25% <0%> (+1.01%) ⬆️
models/unit.go 67.56% <0%> (+5.4%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 96b66e3...0efbb49. Read the comment docs.

@lunny

lunny approved these changes Jul 6, 2019

@GiteaBot GiteaBot added lgtm/done and removed lgtm/need 1 labels Jul 6, 2019

@techknowlogick techknowlogick merged commit ef57fe4 into go-gitea:master Jul 6, 2019

1 check passed

continuous-integration/drone/pr Build is passing
Details

@zeripath zeripath added this to the 1.9.0 milestone Jul 6, 2019

jeffliu27 added a commit to jeffliu27/gitea that referenced this pull request Jul 18, 2019

routers: do not leak secrets via timing side channel (go-gitea#7364)
* routers: do not leak secrets via timing side channel

* routers/repo: do not leak secrets via timing side channel
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
6 participants
You can’t perform that action at this time.