Icycoide/RSCC-Forge
1
0
Fork 0
forked from kevadesu/forgejo
Code Pull requests Activity

fix(sec): use constant time check for internal token

Browse source
This commit is contained in:
Gusted 2024-10-25 08:18:26 +02:00 committed by Earl Warren
parent 00379db370
commit 53231bad61
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
routers/private/internal.go
View file

@ -5,6 +5,7 @@
package private
import (
"crypto/subtle"
"net/http"
"strings"
@ -28,7 +29,7 @@ func CheckInternalToken(next http.Handler) http.Handler {
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return
}
if len(fields) != 2 || fields[0] != "Bearer" || fields[1] != setting.InternalToken {
if len(fields) != 2 || fields[0] != "Bearer" || subtle.ConstantTimeCompare([]byte(fields[1]), []byte(setting.InternalToken)) == 0 {
log.Debug("Forbidden attempt to access internal url: Authorization header: %s", tokens)
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
} else {