oss/miniflux-v2
oss/miniflux-v2
1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-08-06 17:41:00 +00:00
Code Wiki Activity

Use constant-time comparison for anti-csrf tokens

Browse source 
This is probably completely overkill, but since anti-csrf tokens are secrets,
they should be compared against untrusted inputs in constant time.
This commit is contained in:
jvoisin 2024-03-04 00:08:55 +01:00 committed by Frédéric Guillot
parent 9fe99ce7fa
commit d55b410800
2 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
internal/ui/middleware.go
View file

@ -10,6 +10,7 @@ import (
"net/http"
"miniflux.app/v2/internal/config"
"miniflux.app/v2/internal/crypto"
"miniflux.app/v2/internal/http/cookie"
"miniflux.app/v2/internal/http/request"
"miniflux.app/v2/internal/http/response/html"
@ -92,7 +93,7 @@ func (m *middleware) handleAppSession(next http.Handler) http.Handler {
formValue := r.FormValue("csrf")
headerValue := r.Header.Get("X-Csrf-Token")
if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
if !crypto.ConstantTimeCmp(session.Data.CSRF, formValue) && !crypto.ConstantTimeCmp(session.Data.CSRF, headerValue) {
slog.Warn("Invalid or missing CSRF token",
slog.Any("url", r.RequestURI),
slog.String("form_csrf", formValue),