Merge branch 'master' of https://github.com/fvcaputo/haven into fvcap…

…uto-master
guardianproject · Dec 28, 2017 · 1087573 · 1087573
2 parents e81952a + 9aba2c5
commit 1087573
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/src/main/java/org/havenapp/main/service/WebServer.java b/src/main/java/org/havenapp/main/service/WebServer.java
@@ -8,6 +8,8 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
+import java.nio.charset.Charset;
+import java.security.MessageDigest;
 import java.util.List;
 import java.util.UUID;
 
@@ -53,12 +55,12 @@ public Response serve(IHTTPSession session) {
             String inPassword = session.getParms().get("p");
             String inSid = session.getCookies().read("sid");
 
-            if (inPassword != null && mPassword.equals(inPassword)) {
+            if (inPassword != null && safeEquals(inPassword, mPassword)) {
                 mSession = UUID.randomUUID().toString();
                 cookie = new OnionCookie ("sid",mSession,100000);
                 session.getCookies().set(cookie);
             }
-            else if (inSid == null || (inSid != null && (!mSession.equals(inSid)))) {
+            else if (inSid == null || (inSid != null && (!safeEquals(inSid, mSession)))) {
                 showLogin(page);
                 return newFixedLengthResponse(page.toString());
             }
@@ -219,6 +221,12 @@ private String getMimeType (EventTrigger eventTrigger)
 
     }
 
+    private boolean safeEquals (String a, String b) {
+        byte[] aByteArray = a.getBytes(Charset.forName("UTF-8"));
+        byte[] bByteArray = b.getBytes(Charset.forName("UTF-8"));
+        return MessageDigest.isEqual(aByteArray, bByteArray);
+    }
+
     class OnionCookie extends Cookie
     {