Mirrors/filebrowser
1
0
Fork 0
mirror of https://github.com/filebrowser/filebrowser.git synced 2026-01-22 18:27:42 +00:00
Code Issues Projects Releases Wiki Activity

Merge commit from fork

Browse source 
Added a dummy bcrypt hash to prevent user enumeration timing attacks in JSON authentication.
This commit is contained in:
GUCHI 2026-01-18 08:44:16 +01:00 committed by GitHub
parent 4094fb359b
commit 24781badd4
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

16
auth/json.go
View file

@ -14,6 +14,10 @@ import (
// MethodJSONAuth is used to identify json auth. // MethodJSONAuth is used to identify json auth.
const MethodJSONAuth settings.AuthMethod = "json" const MethodJSONAuth settings.AuthMethod = "json"
// dummyHash is used to prevent user enumeration timing attacks.
// It MUST be a valid bcrypt hash.
const dummyHash = "$2a$10$O4mEMeOL/nit6zqe.WQXauLRbRlzb3IgLHsa26Pf0N/GiU9b.wK1m"
type jsonCred struct { type jsonCred struct {
Password string `json:"password"` Password string `json:"password"`
Username string `json:"username"` Username string `json:"username"`
@ -52,7 +56,17 @@ func (a JSONAuth) Auth(r *http.Request, usr users.Store, _ *settings.Settings, s
} }
u, err := usr.Get(srv.Root, cred.Username) u, err := usr.Get(srv.Root, cred.Username)
if err != nil || !users.CheckPwd(cred.Password, u.Password) {
hash := dummyHash
if err == nil {
hash = u.Password
}
if !users.CheckPwd(cred.Password, hash) {
return nil, os.ErrPermission
}
if err != nil {
return nil, os.ErrPermission return nil, os.ErrPermission
} }