mirrors/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-05 01:12:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

ipn/localapi: use constant-time comparison for RequiredPassword (#17906)

Browse Source 
Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov 2025-11-14 12:58:53 -08:00 committed by GitHub
parent 9134440008
commit 888a5d4812
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ipn/localapi/localapi.go
View File

@ -7,6 +7,7 @@ package localapi
import (
"bytes"
"cmp"
"crypto/subtle"
"encoding/json"
"errors"
"fmt"
@ -257,7 +258,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
http.Error(w, "auth required", http.StatusUnauthorized)
return
}
if pass != h.RequiredPassword {
if subtle.ConstantTimeCompare([]byte(pass), []byte(h.RequiredPassword)) == 0 {
metricInvalidRequests.Add(1)
http.Error(w, "bad password", http.StatusForbidden)
return