diff options
Diffstat (limited to 'api4')
-rw-r--r-- | api4/channel.go | 11 | ||||
-rw-r--r-- | api4/file.go | 3 |
2 files changed, 9 insertions, 5 deletions
diff --git a/api4/channel.go b/api4/channel.go index 1599b6e70..d497c9793 100644 --- a/api4/channel.go +++ b/api4/channel.go @@ -97,10 +97,11 @@ func updateChannel(c *Context, w http.ResponseWriter, r *http.Request) { } var oldChannel *model.Channel - var err *model.AppError - if oldChannel, err = c.App.GetChannel(channel.Id); err != nil { + if originalOldChannel, err := c.App.GetChannel(channel.Id); err != nil { c.Err = err return + } else { + oldChannel = originalOldChannel.DeepCopy() } switch oldChannel.Type { @@ -229,10 +230,12 @@ func patchChannel(c *Context, w http.ResponseWriter, r *http.Request) { return } - oldChannel, err := c.App.GetChannel(c.Params.ChannelId) - if err != nil { + var oldChannel *model.Channel + if originalOldChannel, err := c.App.GetChannel(c.Params.ChannelId); err != nil { c.Err = err return + } else { + oldChannel = originalOldChannel.DeepCopy() } switch oldChannel.Type { diff --git a/api4/file.go b/api4/file.go index cfb72cdcb..3bb4ea9d6 100644 --- a/api4/file.go +++ b/api4/file.go @@ -4,6 +4,7 @@ package api4 import ( + "crypto/subtle" "io" "io/ioutil" "net/http" @@ -342,7 +343,7 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) { return } - if hash != app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt) { + if subtle.ConstantTimeCompare([]byte(hash), []byte(app.GeneratePublicLinkHash(info.Id, *c.App.Config().FileSettings.PublicLinkSalt))) != 1 { c.Err = model.NewAppError("getPublicFile", "api.file.get_file.public_invalid.app_error", nil, "", http.StatusBadRequest) utils.RenderWebAppError(c.App.Config(), w, r, c.Err, c.App.AsymmetricSigningKey()) return |