vic/filebrozer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source 
Added a dummy bcrypt hash to prevent user enumeration timing attacks in JSON authentication.
This commit is contained in:
GUCHI
2026-01-18 08:44:16 +01:00
committed by GitHub
parent 4094fb359b
commit 24781badd4
1 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
auth/json.go
View File

@@ -14,6 +14,10 @@ import (
// MethodJSONAuth is used to identify json auth. // MethodJSONAuth is used to identify json auth.
const MethodJSONAuth settings.AuthMethod = "json" const MethodJSONAuth settings.AuthMethod = "json"
// dummyHash is used to prevent user enumeration timing attacks.
// It MUST be a valid bcrypt hash.
const dummyHash = "$2a$10$O4mEMeOL/nit6zqe.WQXauLRbRlzb3IgLHsa26Pf0N/GiU9b.wK1m"
type jsonCred struct { type jsonCred struct {
Password string `json:"password"` Password string `json:"password"`
Username string `json:"username"` Username string `json:"username"`
@@ -52,7 +56,17 @@ func (a JSONAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, s
} }
u, err := usr.Get(srv.Root, cred.Username) u, err := usr.Get(srv.Root, cred.Username)
if err != nil || !users.CheckPwd(cred.Password, u.Password) {
hash := dummyHash
if err == nil {
hash = u.Password
}
if !users.CheckPwd(cred.Password, hash) {
return nil, os.ErrPermission
}
if err != nil {
return nil, os.ErrPermission return nil, os.ErrPermission
} }