From 46fe74490ef100b59686dfbb305f2b857cae6a28 Mon Sep 17 00:00:00 2001
From: Matt Silverlock <matt@eatsleeprepeat.net>
Date: Sat, 13 Feb 2016 09:00:10 -0800
Subject: [PATCH 1/2] [bugfix] Token comparison could fail on versions of Go <
 1.3.

- subtle.ConstantTimeCompare did not check for matching slice lengths prior to Go
  1.3 (fixed in https://codereview.appspot.com/118750043).
- gorilla/csrf was released a year after this came into place.
- Our TravisCI tests did not test against older versions of Go, and this wasn't
  caught as a result.
- Have added Go 1.2 and Go 1.3 to the TravisCI config to address any future
  issues.
---
 helpers.go      |  8 +++++---
 helpers_test.go | 11 +++++++++++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/helpers.go b/helpers.go
index fd96b3a..e01d117 100644
--- a/helpers.go
+++ b/helpers.go
@@ -150,11 +150,13 @@ func sameOrigin(a, b *url.URL) bool {
 // compare securely (constant-time) compares the unmasked token from the request
 // against the real token from the session.
 func compareTokens(a, b []byte) bool {
-	if subtle.ConstantTimeCompare(a, b) == 1 {
-		return true
+	// This is required as subtle.ConstantTimeCompare does not check for equal
+	// lengths in Go versions prior to 1.3.
+	if len(a) != len(b) {
+		return false
 	}
 
-	return false
+	return subtle.ConstantTimeCompare(a, b) == 1
 }
 
 // xorToken XORs tokens ([]byte) to provide unique-per-request CSRF tokens. It
diff --git a/helpers_test.go b/helpers_test.go
index ad641f4..09fbe3e 100644
--- a/helpers_test.go
+++ b/helpers_test.go
@@ -254,3 +254,14 @@ func TestTemplateField(t *testing.T) {
 			templateField, expectedField)
 	}
 }
+
+func TestCompareTokens(t *testing.T) {
+	// Go's subtle.ConstantTimeCompare prior to 1.3 did not check for matching
+	// lengths.
+	a := []byte("")
+	b := []byte("an-actual-token")
+
+	if v := compareTokens(a, b); v == true {
+		t.Fatalf("compareTokens failed on different tokens: got %v want %v", v, !v)
+	}
+}

From a5a43fb1df88a4821dbe077289e1be6bb1bc5f18 Mon Sep 17 00:00:00 2001
From: Matt Silverlock <matt@eatsleeprepeat.net>
Date: Sat, 13 Feb 2016 09:02:22 -0800
Subject: [PATCH 2/2] [ci] Updated Travis to use matrix builds.

---
 .travis.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 74942d9..8f7055d 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,13 +1,19 @@
 language: go
 sudo: false
-go:
-  - 1.4
-  - 1.5
-  - tip
+
+matrix:
+  include:
+    - go: 1.2
+    - go: 1.3
+    - go: 1.4
+    - go: 1.5
+    - go: tip
+
 install:
   - go get golang.org/x/tools/cmd/vet
+
 script:
   - go get -t -v ./...
-  - diff -u <(echo -n) <(gofmt -d -s .)
+  - diff -u <(echo -n) <(gofmt -d .)
   - go tool vet .
   - go test -v -race ./...