github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 11:50:44 +00:00
Code Issues Projects Releases Wiki Activity

Constant time password comparison

Browse Source
This commit is contained in:
Ted Yu 2019-08-07 22:07:56 -07:00 committed by Ted Yu
parent 6049253aae
commit 3d2bc6f6ae
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubeapiserver/options/authentication.go
View File

@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
"If set, the file that will be used to admit requests to the secure port of the API server "+
"via http basic authentication.")
fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
}
if s.RequestHeader != nil {

3
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go
View File

@ -18,6 +18,7 @@ package passwordfile
import (
"context"
"crypto/subtle"
"encoding/csv"
"fmt"
"io"
@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
if !ok {
return nil, false, nil
}
if user.password != password {
if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
return nil, false, nil
}
return &authenticator.Response{User: user.info}, true, nil