blek
/
astraproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

proper constant time compare for hidden domain

This commit is contained in:
Vladislav Yarmak 2020-05-24 19:49:40 +03:00
parent 1889908fe9
commit 0b4d62892c
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
auth.go
View File

@ -58,7 +58,9 @@ func NewStaticAuth(param_url *url.URL) (*StaticAuth, error) {
}
func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain string) {
if hidden_domain != "" && req.URL.Host != hidden_domain && req.Host != hidden_domain {
if hidden_domain != "" &&
(subtle.ConstantTimeCompare([]byte(req.URL.Host), []byte(hidden_domain)) != 1 &&
subtle.ConstantTimeCompare([]byte(req.Host), []byte(hidden_domain)) != 1) {
http.Error(wr, "Bad Request", http.StatusBadRequest)
} else {
wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`)
@ -83,8 +85,7 @@ func (auth *StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth.token)) == 1)
if ok {
if auth.hiddenDomain != "" &&
(subtle.ConstantTimeCompare([]byte(req.Host), []byte(auth.hiddenDomain)) == 1 ||
subtle.ConstantTimeCompare([]byte(req.URL.Host), []byte(auth.hiddenDomain)) == 1) {
(req.Host == auth.hiddenDomain || req.URL.Host == auth.hiddenDomain) {
http.Error(wr, "Browser auth triggered!", http.StatusGone)
return false
} else {