basic auth: fix timing oracle (#2609)

Snawoot · thinkerou · web-flow · commit b01605bb5b43 · 2021-01-13T09:40:37.000+08:00
Co-authored-by: thinkerou &lt;thinkerou@gmail.com&gt;
diff --git a/auth.go b/auth.go
@@ -5,6 +5,7 @@
 package gin
 
 import (
+	"crypto/subtle"
 	"encoding/base64"
 	"net/http"
 	"strconv"
@@ -30,7 +31,7 @@ func (a authPairs) searchCredential(authValue string) (string, bool) {
 		return "", false
 	}
 	for _, pair := range a {
-		if pair.value == authValue {
+		if subtle.ConstantTimeCompare([]byte(pair.value), []byte(authValue)) == 1 {
 			return pair.user, true
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`package gin`
`6`	`6`
`7`	`7`	`import (`
	`8`	`+ "crypto/subtle"`
`8`	`9`	`"encoding/base64"`
`9`	`10`	`"net/http"`
`10`	`11`	`"strconv"`
`@@ -30,7 +31,7 @@ func (a authPairs) searchCredential(authValue string) (string, bool) {`
`30`	`31`	`return "", false`
`31`	`32`	`}`
`32`	`33`	`for _, pair := range a {`
`33`		`- if pair.value == authValue {`
	`34`	`+ if subtle.ConstantTimeCompare([]byte(pair.value), []byte(authValue)) == 1 {`
`34`	`35`	`return pair.user, true`
`35`	`36`	`}`
`36`	`37`	`}`