normalize users with double // in accessKeys (#11143)

Bonus fix, use constant time compare for secret keys in web-handlers.go:SetAuth()
2025-11-07 04:42:56 -05:00 · 2020-12-20 10:09:51 -08:00
parent d8e28830cf
commit 4cc500a041
2 changed files with 4 additions and 2 deletions
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@@ -18,6 +18,7 @@ package cmd

 import (
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"encoding/xml"
 	"errors"
@@ -1005,7 +1006,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
 	}

 	// Throw error when wrong secret key is provided
-	if prevCred.SecretKey != args.CurrentSecretKey {
+	if subtle.ConstantTimeCompare([]byte(prevCred.SecretKey), []byte(args.CurrentSecretKey)) != 1 {
 		return errIncorrectCreds
 	}