YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[enh] Add security comment

Browse source
This commit is contained in:
ljf (zamentur) 2021-03-02 13:56:32 +01:00 committed by GitHub
parent 00e6b224cb
commit 60aca2f90d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
helpers.lua
View file

@ -327,7 +327,9 @@ function is_admin()
local token = token:gsub("\n","")
-- FIXME FIXME FIXME - this is a really stupid and time-attack-prone way to validate the token
-- LUA comparison are made in constant time thanks to interned string mechanism
-- It compare pointers and not char by char. SO no risk of timing attack here :)
-- See https://poprocks.dev/constant-time-string-comparison-in-lua/
if admin_token_header == token then
return true
else