Implement constant time equal check for admin, 2fa recover and 2fa remember tokens

2025-09-12 12:42:42 +00:00 · 2019-02-11 23:45:55 +01:00 · 2019-02-11 23:45:55 +01:00 · 9636f33fdb
commit 9636f33fdb
parent bbe2a1b264
4 changed files with 13 additions and 3 deletions
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -89,7 +89,7 @@ fn post_admin_login(data: Form<LoginForm>, mut cookies: Cookies, ip: ClientIp) -
 fn _validate_token(token: &str) -> bool {
    match CONFIG.admin_token().as_ref() {
        None => false,
-        Some(t) => t == token,
+        Some(t) => crate::crypto::ct_eq(t, token),
    }
 }