github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

Constant time password comparison

Browse Source
This commit is contained in:
Ted Yu 2019-08-07 22:07:56 -07:00 committed by Ted Yu
parent 6049253aae
commit 3d2bc6f6ae
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
pkg/kubeapiserver/options/authentication.go
View File

@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+ fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
"If set, the file that will be used to admit requests to the secure port of the API server "+ "If set, the file that will be used to admit requests to the secure port of the API server "+
"via http basic authentication.") "via http basic authentication.")
fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
} }
if s.RequestHeader != nil { if s.RequestHeader != nil {

3
staging/src/k8s.io/apiserver/plugin/pkg/authenticator/password/passwordfile/passwordfile.go
View File

@ -18,6 +18,7 @@ package passwordfile
import ( import (
"context" "context"
"crypto/subtle"
"encoding/csv" "encoding/csv"
"fmt" "fmt"
"io" "io"
@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
if !ok { if !ok {
return nil, false, nil return nil, false, nil
} }
if user.password != password { if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
return nil, false, nil return nil, false, nil
} }
return &authenticator.Response{User: user.info}, true, nil return &authenticator.Response{User: user.info}, true, nil