Merge pull request #81152 from tedyu/const-pass-cmp

Constant time password comparison
This commit is contained in:
Kubernetes Prow Robot 2019-08-08 12:35:59 -07:00 committed by GitHub
commit f4e39afea0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 1 deletions

View File

@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
"If set, the file that will be used to admit requests to the secure port of the API server "+
"via http basic authentication.")
fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
}
if s.RequestHeader != nil {

View File

@ -18,6 +18,7 @@ package passwordfile
import (
"context"
"crypto/subtle"
"encoding/csv"
"fmt"
"io"
@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
if !ok {
return nil, false, nil
}
if user.password != password {
if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
return nil, false, nil
}
return &authenticator.Response{User: user.info}, true, nil