diff options
| author | Christopher Speller <crspeller@gmail.com> | 2018-09-10 06:19:29 -0700 |
|---|---|---|
| committer | Carlos Tadeu Panato Junior <ctadeu@gmail.com> | 2018-09-10 15:19:29 +0200 |
| commit | bb605a6b91073714f6b9a59b86c25c1b46bd2ba9 (patch) | |
| tree | 1d66d49d4e790d8899d4b4f116cba880835c1cdb /api4 | |
| parent | 72258266aa4556557262bb517918ba2194bd7edb (diff) | |
| download | chat-bb605a6b91073714f6b9a59b86c25c1b46bd2ba9.tar.gz chat-bb605a6b91073714f6b9a59b86c25c1b46bd2ba9.tar.bz2 chat-bb605a6b91073714f6b9a59b86c25c1b46bd2ba9.zip | |
Changing comparison method. (#9383)
Diffstat (limited to 'api4')
| -rw-r--r-- | api4/file.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/api4/file.go b/api4/file.go index cfb72cdcb..3bb4ea9d6 100644 --- a/api4/file.go +++ b/api4/file.go @@ -4,6 +4,7 @@ package api4 import ( + "crypto/subtle" "io" "io/ioutil" "net/http" @@ -342,7 +343,7 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - if hash != app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt) { + if subtle.ConstantTimeCompare([]byte(hash), []byte(app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt))) != 1 { c.Err = model.NewAppError("getPublicFile", "api.file.get_file.public_invalid.app_error", nil, "", http.StatusBadRequest) utils.RenderWebAppError(c.App.Config(), w, r, c.Err, c.App.AsymmetricSigningKey()) return |