Merge pull request #3771 from bergquist/contant_time_comparison

fix(login): fix vulnerbility for timing attacks
2025-01-10 08:03:58 -06:00 · 2016-01-18 08:44:11 +01:00 · 2016-01-18 08:44:11 +01:00 · 9b42b33648
commit 9b42b33648
parent 30c19d525e 053868f593
1 changed files with 2 additions and 1 deletions
--- a/pkg/login/auth.go
+++ b/pkg/login/auth.go
@ -3,6 +3,7 @@ package login
 import (
 	"errors"

+	"crypto/subtle"
 	"github.com/grafana/grafana/pkg/bus"
 	m "github.com/grafana/grafana/pkg/models"
 	"github.com/grafana/grafana/pkg/setting"
@ -56,7 +57,7 @@ func loginUsingGrafanaDB(query *LoginUserQuery) error {
 	user := userQuery.Result

 	passwordHashed := util.EncodePassword(query.Password, user.Salt)
-	if passwordHashed != user.Password {
+	if subtle.ConstantTimeCompare([]byte(passwordHashed), []byte(user.Password)) != 1 {
 		return ErrInvalidCredentials
 	}