mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Merge pull request #81152 from tedyu/const-pass-cmp
Constant time password comparison
This commit is contained in:
commit
f4e39afea0
@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
|
|||||||
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
|
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
|
||||||
"If set, the file that will be used to admit requests to the secure port of the API server "+
|
"If set, the file that will be used to admit requests to the secure port of the API server "+
|
||||||
"via http basic authentication.")
|
"via http basic authentication.")
|
||||||
|
fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
|
||||||
}
|
}
|
||||||
|
|
||||||
if s.RequestHeader != nil {
|
if s.RequestHeader != nil {
|
||||||
|
@ -18,6 +18,7 @@ package passwordfile
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
|
"crypto/subtle"
|
||||||
"encoding/csv"
|
"encoding/csv"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
|
|||||||
if !ok {
|
if !ok {
|
||||||
return nil, false, nil
|
return nil, false, nil
|
||||||
}
|
}
|
||||||
if user.password != password {
|
if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
|
||||||
return nil, false, nil
|
return nil, false, nil
|
||||||
}
|
}
|
||||||
return &authenticator.Response{User: user.info}, true, nil
|
return &authenticator.Response{User: user.info}, true, nil
|
||||||
|
Loading…
Reference in New Issue
Block a user