normalize users with double // in accessKeys (#11143)

Bonus fix, use constant time compare for secret keys in web-handlers.go:SetAuth()
4 years ago · 4cc500a041
parent d8e28830cf
commit 4cc500a041
2 changed files with 4 additions and 2 deletions
--- a/cmd/admin-handlers-users.go
+++ b/cmd/admin-handlers-users.go
@ -22,6 +22,7 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"path"

 	"github.com/gorilla/mux"
 	"github.com/minio/minio/cmd/logger"
@ -358,7 +359,7 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
 	defer logger.AuditLog(w, r, "AddUser", mustGetClaimsFromToken(r))

 	vars := mux.Vars(r)
-	accessKey := vars["accessKey"]
+	accessKey := path.Clean(vars["accessKey"])

 	// Get current object layer instance.
 	objectAPI := newObjectLayerFn()
--- a/cmd/web-handlers.go
+++ b/cmd/web-handlers.go
@ -18,6 +18,7 @@ package cmd

 import (
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"encoding/xml"
 	"errors"
@ -1005,7 +1006,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
 	}

 	// Throw error when wrong secret key is provided
-	if prevCred.SecretKey != args.CurrentSecretKey {
+	if subtle.ConstantTimeCompare([]byte(prevCred.SecretKey), []byte(args.CurrentSecretKey)) != 1 {
 		return errIncorrectCreds
 	}