drive: use secret token to authenticate access to file server on localhost

This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>
This commit is contained in:
Percy Wegmann 2024-05-01 14:27:49 -05:00 committed by Percy Wegmann
parent 9d22ec0ba2
commit 0c11fd978b

View File

@ -5,6 +5,7 @@
import (
"crypto/rand"
"crypto/subtle"
"encoding/hex"
"fmt"
"net"
@ -117,7 +118,8 @@ func (s *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
parts := shared.CleanAndSplit(r.URL.Path)
token := parts[0]
if token != s.secretToken {
a, b := []byte(token), []byte(s.secretToken)
if len(a) != len(b) || subtle.ConstantTimeCompare(a, b) != 1 {
w.WriteHeader(http.StatusForbidden)
return
}