WEBUI: Protect against timing attacks. Closes #2108.

2025-12-18 22:47:21 -06:00 · 2014-11-02 21:19:27 +02:00
parent 09ab5c37ce
commit 6f14b34470
3 changed files with 22 additions and 1 deletions
--- a/src/webui/requesthandler.cpp
+++ b/src/webui/requesthandler.cpp
@@ -136,7 +136,10 @@ void RequestHandler::action_public_login()
  md5.addData(request().posts["password"].toLocal8Bit());
  QString pass = md5.result().toHex();

-  if ((request().posts["username"] == pref->getWebUiUsername()) && (pass == pref->getWebUiPassword()))
+  bool equalUser = misc::slowEquals(request().posts["username"].toUtf8(), pref->getWebUiUsername().toUtf8());
+  bool equalPass = misc::slowEquals(pass.toUtf8(), pref->getWebUiPassword().toUtf8());
+
+  if (equalUser && equalPass)
  {
    sessionStart();
    print(QByteArray("Ok."), CONTENT_TYPE_TXT);