Skip to content

Commit

Permalink
fix(security): compare auth token in constant time (#3740 close #3739)
Browse files Browse the repository at this point in the history
  • Loading branch information
NewbieOrange authored Mar 6, 2023
1 parent dd4c973 commit d484219
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion server/middlewares/auth.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package middlewares

import (
"crypto/subtle"

"github.com/alist-org/alist/v3/internal/conf"
"github.com/alist-org/alist/v3/internal/model"
"github.com/alist-org/alist/v3/internal/op"
Expand All @@ -14,7 +16,7 @@ import (
// if token is empty, set user to guest
func Auth(c *gin.Context) {
token := c.GetHeader("Authorization")
if token == setting.GetStr(conf.Token) {
if subtle.ConstantTimeCompare([]byte(token), []byte(setting.GetStr(conf.Token))) == 1 {
admin, err := op.GetAdmin()
if err != nil {
common.ErrorResp(c, err, 500)
Expand Down

0 comments on commit d484219

Please sign in to comment.