constant time comparsion for passwords in authmw (#11)

micromdm · Feb 1, 2018 · be6fe7e · be6fe7e
1 parent f60ad55
commit be6fe7e
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cmd/squirrel/serve.go b/cmd/squirrel/serve.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"crypto/subtle"
 
 	kitlog "github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
@@ -152,7 +153,7 @@ func printMunkiHeadersHelp(password string) {
 func authMW(next http.Handler, repoPassword string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		_, password, ok := r.BasicAuth()
-		if !ok || password != repoPassword {
+		if !ok || subtle.ConstantTimeCompare([]byte(password), []byte(repoPassword)) != 1 {
 			w.Header().Set("WWW-Authenticate", `Basic realm="munki"`)
 			http.Error(w, "you need to log in", http.StatusUnauthorized)
 			return