diff options
author | Carlos Tadeu Panato Junior <ctadeu@gmail.com> | 2018-09-10 16:13:21 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-09-10 16:13:21 +0200 |
commit | 1f87596e7545cac041ed66e3640ec98bd09f129c (patch) | |
tree | 834a3cfeeda909b11d066084d81ac280d5574a77 /api4/file.go | |
parent | 435ce3df4b1671643f5427b8983d6a0fe1e1dc03 (diff) | |
parent | a8d116b381ec9c28c5da5c8ee39a3699f568130d (diff) | |
download | chat-1f87596e7545cac041ed66e3640ec98bd09f129c.tar.gz chat-1f87596e7545cac041ed66e3640ec98bd09f129c.tar.bz2 chat-1f87596e7545cac041ed66e3640ec98bd09f129c.zip |
Merge release-5.3
Diffstat (limited to 'api4/file.go')
-rw-r--r-- | api4/file.go | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/api4/file.go b/api4/file.go index cfb72cdcb..3bb4ea9d6 100644 --- a/api4/file.go +++ b/api4/file.go @@ -4,6 +4,7 @@ package api4 import ( + "crypto/subtle" "io" "io/ioutil" "net/http" @@ -342,7 +343,7 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - if hash != app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt) { + if subtle.ConstantTimeCompare([]byte(hash), []byte(app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt))) != 1 { c.Err = model.NewAppError("getPublicFile", "api.file.get_file.public_invalid.app_error", nil, "", http.StatusBadRequest) utils.RenderWebAppError(c.App.Config(), w, r, c.Err, c.App.AsymmetricSigningKey()) return |