MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 23:13:23 -05:00
Code Issues Packages Projects Releases Wiki Activity

normalize users with double // in accessKeys (#11143)

Browse Source 
Bonus fix, use constant time compare for secret keys  in web-handlers.go:SetAuth()
This commit is contained in:
Harshavardhana 2020-12-20 10:09:51 -08:00 committed by GitHub
parent d8e28830cf
commit 4cc500a041
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/admin-handlers-users.go
View File

@ -22,6 +22,7 @@ import (
"io"
"io/ioutil"
"net/http"
"path"
"github.com/gorilla/mux"
"github.com/minio/minio/cmd/logger"
@ -358,7 +359,7 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
defer logger.AuditLog(w, r, "AddUser", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
accessKey := vars["accessKey"]
accessKey := path.Clean(vars["accessKey"])
// Get current object layer instance.
objectAPI := newObjectLayerFn()

3
cmd/web-handlers.go
View File

@ -18,6 +18,7 @@ package cmd
import (
"context"
"crypto/subtle"
"encoding/json"
"encoding/xml"
"errors"
@ -1005,7 +1006,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
}
// Throw error when wrong secret key is provided
if prevCred.SecretKey != args.CurrentSecretKey {
if subtle.ConstantTimeCompare([]byte(prevCred.SecretKey), []byte(args.CurrentSecretKey)) != 1 {
return errIncorrectCreds
}