From c309faf79f71e928763c221d274f44d9913ea3a7 Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Fri, 30 Aug 2019 20:59:50 +1000
Subject: [PATCH] Use constant time comparisons for sessions in forms.

---
 common/routes_common.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/common/routes_common.go b/common/routes_common.go
index 611f0a78..683e486c 100644
--- a/common/routes_common.go
+++ b/common/routes_common.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"io"
 	"regexp"
+	"crypto/subtle"
 
 	"github.com/Azareal/Gosora/common/phrases"
 )
@@ -470,7 +471,11 @@ func NoSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteE
 	if err != nil {
 		return LocalError("Bad Form", w, r, user)
 	}
-	if r.FormValue("session") != user.Session && r.FormValue("s") != user.Session {
+	sess := []byte(user.Session)
+	if len(sess) == 0 {
+		return SecurityError(w, r, user)
+	}
+	if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
 		return SecurityError(w, r, user)
 	}
 	return nil
@@ -496,7 +501,11 @@ func HandleUploadRoute(w http.ResponseWriter, r *http.Request, user User, maxFil
 }
 
 func NoUploadSessionMismatch(w http.ResponseWriter, r *http.Request, user User) RouteError {
-	if r.FormValue("session") != user.Session && r.FormValue("s") != user.Session {
+	sess := []byte(user.Session)
+	if len(sess) == 0 {
+		return SecurityError(w, r, user)
+	}
+	if subtle.ConstantTimeCompare([]byte(r.FormValue("session")), sess) != 1 && subtle.ConstantTimeCompare([]byte(r.FormValue("s")), sess) != 1 {
 		return SecurityError(w, r, user)
 	}
 	return nil