From 8fe393bcf510ae7f90d1da922c90846c5adb06eb Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Thu, 19 Aug 2021 11:37:49 +0100 Subject: Use timing safe comparisons for the httpd_acl username and password. --- src/modules/m_httpd_acl.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/modules/m_httpd_acl.cpp') diff --git a/src/modules/m_httpd_acl.cpp b/src/modules/m_httpd_acl.cpp index 3224d8b91..d6a2d6474 100644 --- a/src/modules/m_httpd_acl.cpp +++ b/src/modules/m_httpd_acl.cpp @@ -194,7 +194,8 @@ class ModuleHTTPAccessList : public Module, public HTTPACLEventListener userpasspair.GetToken(pass); /* Access granted if username and password are correct */ - if (user == this_acl->username && pass == this_acl->password) + if (InspIRCd::TimingSafeCompare(user, this_acl->username) + && InspIRCd::TimingSafeCompare(pass, this_acl->password)) { ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "HTTP authorization: password and username match"); return true; -- cgit v1.3.1-10-gc9f91