fix: use constant-time comparison for share access token

Compare the share token with subtle.ConstantTimeCompare instead of ==.
This commit is contained in:
Henrique Dias 2026-06-03 12:21:23 +02:00
parent cdd666fc95
commit 19514367ad
No known key found for this signature in database

View file

@ -1,6 +1,7 @@
package fbhttp
import (
"crypto/subtle"
"errors"
"net/http"
"net/url"
@ -136,7 +137,7 @@ func authenticateShareRequest(r *http.Request, l *share.Link) (int, error) {
return 0, nil
}
if r.URL.Query().Get("token") == l.Token {
if subtle.ConstantTimeCompare([]byte(r.URL.Query().Get("token")), []byte(l.Token)) == 1 {
return 0, nil
}