aboutsummaryrefslogtreecommitdiff
path: root/src/modules/m_httpd_acl.cpp
diff options
context:
space:
mode:
authorGravatar Sadie Powell2021-08-19 11:37:49 +0100
committerGravatar Sadie Powell2021-08-19 11:37:49 +0100
commit8fe393bcf510ae7f90d1da922c90846c5adb06eb (patch)
treeeb5cb5f19c68ebf04de082dc5f28620e8dceb599 /src/modules/m_httpd_acl.cpp
parentImplement support for websocket subprotocols. (diff)
Use timing safe comparisons for the httpd_acl username and password.
Diffstat (limited to 'src/modules/m_httpd_acl.cpp')
-rw-r--r--src/modules/m_httpd_acl.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/modules/m_httpd_acl.cpp b/src/modules/m_httpd_acl.cpp
index 3224d8b91..d6a2d6474 100644
--- a/src/modules/m_httpd_acl.cpp
+++ b/src/modules/m_httpd_acl.cpp
@@ -194,7 +194,8 @@ class ModuleHTTPAccessList : public Module, public HTTPACLEventListener
userpasspair.GetToken(pass);
/* Access granted if username and password are correct */
- if (user == this_acl->username && pass == this_acl->password)
+ if (InspIRCd::TimingSafeCompare(user, this_acl->username)
+ && InspIRCd::TimingSafeCompare(pass, this_acl->password))
{
ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username match");
return true;