Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Small security fixes #5

Merged
merged 2 commits into from
Jan 31, 2020
Merged

Small security fixes #5

merged 2 commits into from
Jan 31, 2020

Conversation

bouk
Copy link
Contributor

@bouk bouk commented Jan 31, 2020

Just two small fixes:

  1. Remove the 'check' variable. It seems dangerous to me to leave it around, since a small error can mean the verification is turned off.
  2. Resolve a timing attack that would make it possible for an attacker to figure out the auth token.

@bouk
Remove 'check' variable
bde2d86 
There was a bug that if an empty token was ever passed in, all
subsequent usage of ListenAndServe would skip the check. We should just
remove this global and reject empty tokens.
@bouk
Use constant-time comparison to prevent timing attacks
f6d0792
@tylerflint tylerflint closed this Jan 31, 2020
@tylerflint tylerflint reopened this Jan 31, 2020
@tylerflint tylerflint merged commit 063a3fb into nanobox-io:master Jan 31, 2020
@bouk bouk deleted the constant-time-compare branch January 31, 2020 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nanzhong nanzhong nanzhong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bouk @nanzhong @tylerflint