From bb605a6b91073714f6b9a59b86c25c1b46bd2ba9 Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Mon, 10 Sep 2018 06:19:29 -0700
Subject: Changing comparison method. (#9383)

---
 api4/file.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'api4')

diff --git a/api4/file.go b/api4/file.go
index cfb72cdcb..3bb4ea9d6 100644
--- a/api4/file.go
+++ b/api4/file.go
@@ -4,6 +4,7 @@
 package api4
 
 import (
+	"crypto/subtle"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -342,7 +343,7 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if hash != app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt) {
+	if subtle.ConstantTimeCompare([]byte(hash), []byte(app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt))) != 1 {
 		c.Err = model.NewAppError("getPublicFile", "api.file.get_file.public_invalid.app_error", nil, "", http.StatusBadRequest)
 		utils.RenderWebAppError(c.App.Config(), w, r, c.Err, c.App.AsymmetricSigningKey())
 		return
-- 
cgit v1.2.3-1-g7c22