aboutsummaryrefslogtreecommitdiff
path: root/internal/ui/middleware.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/ui/middleware.go')
-rw-r--r--internal/ui/middleware.go3
1 files changed, 2 insertions, 1 deletions
diff --git a/internal/ui/middleware.go b/internal/ui/middleware.go
index 79e433e9..3a4a55e5 100644
--- a/internal/ui/middleware.go
+++ b/internal/ui/middleware.go
@@ -10,6 +10,7 @@ import (
"net/http"
"miniflux.app/v2/internal/config"
+ "miniflux.app/v2/internal/crypto"
"miniflux.app/v2/internal/http/cookie"
"miniflux.app/v2/internal/http/request"
"miniflux.app/v2/internal/http/response/html"
@@ -92,7 +93,7 @@ func (m *middleware) handleAppSession(next http.Handler) http.Handler {
formValue := r.FormValue("csrf")
headerValue := r.Header.Get("X-Csrf-Token")
- if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
+ if !crypto.ConstantTimeCmp(session.Data.CSRF, formValue) && !crypto.ConstantTimeCmp(session.Data.CSRF, headerValue) {
slog.Warn("Invalid or missing CSRF token",
slog.Any("url", r.RequestURI),
slog.String("form_csrf", formValue),
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-02 04:00:19 +0000