luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

acl: use constant time comparing to check token (#6943)

This commit is contained in:
Hans Hasselberg 2019-12-16 21:54:52 +01:00 committed by GitHub
parent 26d8dd8aac
commit ae23376218
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
agent/token/store.go
View File

@ -2,6 +2,8 @@ package token
import (
"sync"
"crypto/subtle"
)
type TokenSource bool
@ -166,5 +168,5 @@ func (t *Store) IsAgentMasterToken(token string) bool {
t.l.RLock()
defer t.l.RUnlock()
return (token != "") && (token == t.agentMasterToken)
return (token != "") && (subtle.ConstantTimeCompare([]byte(token), []byte(t.agentMasterToken)) == 1)
}