Merge pull request #81152 from tedyu/const-pass-cmp

Constant time password comparison
This commit is contained in:
Kubernetes Prow Robot 2019-08-08 12:35:59 -07:00 committed by GitHub
commit f4e39afea0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 1 deletions

View File

@ -259,6 +259,7 @@ func (s *BuiltInAuthenticationOptions) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+ fs.StringVar(&s.PasswordFile.BasicAuthFile, "basic-auth-file", s.PasswordFile.BasicAuthFile, ""+
"If set, the file that will be used to admit requests to the secure port of the API server "+ "If set, the file that will be used to admit requests to the secure port of the API server "+
"via http basic authentication.") "via http basic authentication.")
fs.MarkDeprecated("basic-auth-file", "Basic authentication mode is deprecated and will be removed in a future release. It is not recommended for production environments.")
} }
if s.RequestHeader != nil { if s.RequestHeader != nil {

View File

@ -18,6 +18,7 @@ package passwordfile
import ( import (
"context" "context"
"crypto/subtle"
"encoding/csv" "encoding/csv"
"fmt" "fmt"
"io" "io"
@ -85,7 +86,7 @@ func (a *PasswordAuthenticator) AuthenticatePassword(ctx context.Context, userna
if !ok { if !ok {
return nil, false, nil return nil, false, nil
} }
if user.password != password { if subtle.ConstantTimeCompare([]byte(user.password), []byte(password)) == 0 {
return nil, false, nil return nil, false, nil
} }
return &authenticator.Response{User: user.info}, true, nil return &authenticator.Response{User: user.info}, true, nil