Use constant time comparisons for sessions in forms.

This commit is contained in:
Azareal 2019-08-30 20:59:50 +10:00
parent ddb917761f
commit c309faf79f

View File

@ -10,6 +10,7 @@ import (
"os"
"io"
"regexp"
"crypto/subtle"
"github.com/Azareal/Gosora/common/phrases"
)
@ -470,7 +471,11 @@ func NoSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteE
if err != nil {
return LocalError("Bad Form", w, r, user)
}
if r.FormValue("session") != user.Session && r.FormValue("s") != user.Session {
sess := []byte(user.Session)
if len(sess) == 0 {
return SecurityError(w, r, user)
}
if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
return SecurityError(w, r, user)
}
return nil
@ -496,7 +501,11 @@ func HandleUploadRoute(w http.ResponseWriter, r *http.Request, user User, maxFil
}
func NoUploadSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteError {
if r.FormValue("session") != user.Session && r.FormValue("s") != user.Session {
sess := []byte(user.Session)
if len(sess) == 0 {
return SecurityError(w, r, user)
}
if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
return SecurityError(w, r, user)
}
return nil