aboutsummaryrefslogtreecommitdiff
path: root/internal/ui/middleware.go
diff options
context:
space:
mode:
authorGravatar jvoisin <julien.voisin@dustri.org> 2024-03-04 00:08:55 +0100
committerGravatar Frédéric Guillot <f@miniflux.net> 2024-03-03 20:28:13 -0800
commitd55b41080062915e728b6afb75f5623927f100f7 (patch)
tree2e2633259c7398f09df6e94a314095b7a989cfe8 /internal/ui/middleware.go
parent9fe99ce7fa99c3b1acd9b7894fcc8350e2564d97 (diff)
downloadv2-d55b41080062915e728b6afb75f5623927f100f7.tar.gz
v2-d55b41080062915e728b6afb75f5623927f100f7.tar.zst
v2-d55b41080062915e728b6afb75f5623927f100f7.zip
Use constant-time comparison for anti-csrf tokens
This is probably completely overkill, but since anti-csrf tokens are secrets, they should be compared against untrusted inputs in constant time.
Diffstat (limited to 'internal/ui/middleware.go')
-rw-r--r--internal/ui/middleware.go3
1 files changed, 2 insertions, 1 deletions
diff --git a/internal/ui/middleware.go b/internal/ui/middleware.go
index 79e433e9..3a4a55e5 100644
--- a/internal/ui/middleware.go
+++ b/internal/ui/middleware.go
@@ -10,6 +10,7 @@ import (
"net/http"
"miniflux.app/v2/internal/config"
+ "miniflux.app/v2/internal/crypto"
"miniflux.app/v2/internal/http/cookie"
"miniflux.app/v2/internal/http/request"
"miniflux.app/v2/internal/http/response/html"
@@ -92,7 +93,7 @@ func (m *middleware) handleAppSession(next http.Handler) http.Handler {
formValue := r.FormValue("csrf")
headerValue := r.Header.Get("X-Csrf-Token")
- if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
+ if !crypto.ConstantTimeCmp(session.Data.CSRF, formValue) && !crypto.ConstantTimeCmp(session.Data.CSRF, headerValue) {
slog.Warn("Invalid or missing CSRF token",
slog.Any("url", r.RequestURI),
slog.String("form_csrf", formValue),
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-01 13:53:11 +0000