From 9aba2c5c6736af3ae9a85cde485217e5f99d0b8b Mon Sep 17 00:00:00 2001 From: Felipe Caputo Date: Sat, 23 Dec 2017 17:58:31 -0200 Subject: [PATCH] Adds time constant comparison --- .../java/org/havenapp/main/service/WebServer.java | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/main/java/org/havenapp/main/service/WebServer.java b/src/main/java/org/havenapp/main/service/WebServer.java index 226486e4..8eeb8e63 100644 --- a/src/main/java/org/havenapp/main/service/WebServer.java +++ b/src/main/java/org/havenapp/main/service/WebServer.java @@ -8,6 +8,8 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; +import java.nio.charset.Charset; +import java.security.MessageDigest; import java.util.List; import java.util.UUID; @@ -53,12 +55,12 @@ public Response serve(IHTTPSession session) { String inPassword = session.getParms().get("p"); String inSid = session.getCookies().read("sid"); - if (inPassword != null && mPassword.equals(inPassword)) { + if (inPassword != null && safeEquals(inPassword, mPassword)) { mSession = UUID.randomUUID().toString(); cookie = new OnionCookie ("sid",mSession,100000); session.getCookies().set(cookie); } - else if (inSid == null || (inSid != null && (!mSession.equals(inSid)))) { + else if (inSid == null || (inSid != null && (!safeEquals(inSid, mSession)))) { showLogin(page); return newFixedLengthResponse(page.toString()); } @@ -219,6 +221,12 @@ private String getMimeType (EventTrigger eventTrigger) } + private boolean safeEquals (String a, String b) { + byte[] aByteArray = a.getBytes(Charset.forName("UTF-8")); + byte[] bByteArray = b.getBytes(Charset.forName("UTF-8")); + return MessageDigest.isEqual(aByteArray, bByteArray); + } + class OnionCookie extends Cookie {