diff options
| author | 2021-08-19 11:37:49 +0100 | |
|---|---|---|
| committer | 2021-08-19 11:37:49 +0100 | |
| commit | 8fe393bcf510ae7f90d1da922c90846c5adb06eb (patch) | |
| tree | eb5cb5f19c68ebf04de082dc5f28620e8dceb599 /src/modules/m_httpd_acl.cpp | |
| parent | Implement support for websocket subprotocols. (diff) | |
Use timing safe comparisons for the httpd_acl username and password.
Diffstat (limited to 'src/modules/m_httpd_acl.cpp')
| -rw-r--r-- | src/modules/m_httpd_acl.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/modules/m_httpd_acl.cpp b/src/modules/m_httpd_acl.cpp index 3224d8b91..d6a2d6474 100644 --- a/src/modules/m_httpd_acl.cpp +++ b/src/modules/m_httpd_acl.cpp @@ -194,7 +194,8 @@ class ModuleHTTPAccessList : public Module, public HTTPACLEventListener userpasspair.GetToken(pass); /* Access granted if username and password are correct */ - if (user == this_acl->username && pass == this_acl->password) + if (InspIRCd::TimingSafeCompare(user, this_acl->username) + && InspIRCd::TimingSafeCompare(pass, this_acl->password)) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username match"); return true; |
