From 0c11fd978b0500b3e80ff474de182a1ac26fb0e4 Mon Sep 17 00:00:00 2001 From: Percy Wegmann Date: Wed, 1 May 2024 14:27:49 -0500 Subject: [PATCH] drive: use secret token to authenticate access to file server on localhost This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann --- drive/driveimpl/fileserver.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drive/driveimpl/fileserver.go b/drive/driveimpl/fileserver.go index 5d9f183a7..9a4a2d323 100644 --- a/drive/driveimpl/fileserver.go +++ b/drive/driveimpl/fileserver.go @@ -5,6 +5,7 @@ import ( "crypto/rand" + "crypto/subtle" "encoding/hex" "fmt" "net" @@ -117,7 +118,8 @@ func (s *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { parts := shared.CleanAndSplit(r.URL.Path) token := parts[0] - if token != s.secretToken { + a, b := []byte(token), []byte(s.secretToken) + if len(a) != len(b) || subtle.ConstantTimeCompare(a, b) != 1 { w.WriteHeader(http.StatusForbidden) return }