Merge release-5.3

2 files changed, 9 insertions, 5 deletions

diff --git a/api4/channel.go b/api4/channel.go
index 1599b6e70..d497c9793 100644
--- a/api4/channel.go
+++ b/api4/channel.go
@@ -97,10 +97,11 @@ func updateChannel(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 
 	var oldChannel *model.Channel
-	var err *model.AppError
-	if oldChannel, err = c.App.GetChannel(channel.Id); err != nil {
+	if originalOldChannel, err := c.App.GetChannel(channel.Id); err != nil {
 		c.Err = err
 		return
+	} else {
+		oldChannel = originalOldChannel.DeepCopy()
 	}
 
 	switch oldChannel.Type {
@@ -229,10 +230,12 @@ func patchChannel(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	oldChannel, err := c.App.GetChannel(c.Params.ChannelId)
-	if err != nil {
+	var oldChannel *model.Channel
+	if originalOldChannel, err := c.App.GetChannel(c.Params.ChannelId); err != nil {
 		c.Err = err
 		return
+	} else {
+		oldChannel = originalOldChannel.DeepCopy()
 	}
 
 	switch oldChannel.Type {
diff --git a/api4/file.go b/api4/file.go
index cfb72cdcb..3bb4ea9d6 100644
--- a/api4/file.go
+++ b/api4/file.go
@@ -4,6 +4,7 @@
 package api4
 
 import (
+	"crypto/subtle"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -342,7 +343,7 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if hash != app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt) {
+	if subtle.ConstantTimeCompare([]byte(hash), []byte(app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt))) != 1 {
 		c.Err = model.NewAppError("getPublicFile", "api.file.get_file.public_invalid.app_error", nil, "", http.StatusBadRequest)
 		utils.RenderWebAppError(c.App.Config(), w, r, c.Err, c.App.AsymmetricSigningKey())
 		return