From 0b4d62892c0db4e83e4755ab679ddba67f011ed5 Mon Sep 17 00:00:00 2001
From: Vladislav Yarmak <vladislav@vm-0.com>
Date: Sun, 24 May 2020 19:49:40 +0300
Subject: [PATCH] proper constant time compare for hidden domain

---
 auth.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/auth.go b/auth.go
index 0faa142..db9f4cd 100644
--- a/auth.go
+++ b/auth.go
@@ -58,7 +58,9 @@ func NewStaticAuth(param_url *url.URL) (*StaticAuth, error) {
 }
 
 func requireBasicAuth(wr http.ResponseWriter, req *http.Request, hidden_domain string) {
-    if hidden_domain != "" && req.URL.Host != hidden_domain && req.Host != hidden_domain {
+    if hidden_domain != "" &&
+        (subtle.ConstantTimeCompare([]byte(req.URL.Host), []byte(hidden_domain)) != 1 &&
+        subtle.ConstantTimeCompare([]byte(req.Host), []byte(hidden_domain)) != 1) {
         http.Error(wr, "Bad Request", http.StatusBadRequest)
     } else {
         wr.Header().Set("Proxy-Authenticate", `Basic realm="dumbproxy"`)
@@ -83,8 +85,7 @@ func (auth *StaticAuth) Validate(wr http.ResponseWriter, req *http.Request) bool
     ok := (subtle.ConstantTimeCompare([]byte(token), []byte(auth.token)) == 1)
     if ok {
         if auth.hiddenDomain != "" &&
-            (subtle.ConstantTimeCompare([]byte(req.Host), []byte(auth.hiddenDomain)) == 1 ||
-            subtle.ConstantTimeCompare([]byte(req.URL.Host), []byte(auth.hiddenDomain)) == 1) {
+            (req.Host == auth.hiddenDomain || req.URL.Host == auth.hiddenDomain) {
             http.Error(wr, "Browser auth triggered!", http.StatusGone)
             return false
         } else {