TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-12-23 17:16:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

ipn/localapi: use constant-time comparison for RequiredPassword (#17906)

Browse Source 
Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
2025-11-14 12:58:53 -08:00
committed by GitHub
parent 9134440008
commit 888a5d4812
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ipn/localapi/localapi.go
View File

@@ -7,6 +7,7 @@ package localapi
import ( import (
"bytes" "bytes"
"cmp" "cmp"
"crypto/subtle"
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
@@ -257,7 +258,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
http.Error(w, "auth required", http.StatusUnauthorized) http.Error(w, "auth required", http.StatusUnauthorized)
return return
} }
if pass != h.RequiredPassword { if subtle.ConstantTimeCompare([]byte(pass), []byte(h.RequiredPassword)) == 0 {
metricInvalidRequests.Add(1) metricInvalidRequests.Add(1)
http.Error(w, "bad password", http.StatusForbidden) http.Error(w, "bad password", http.StatusForbidden)
return return