normalize users with double // in accessKeys (#11143)

Bonus fix, use constant time compare for secret keys  in web-handlers.go:SetAuth()
master
Harshavardhana 4 years ago committed by GitHub
parent d8e28830cf
commit 4cc500a041
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 3
      cmd/admin-handlers-users.go
  2. 3
      cmd/web-handlers.go

@ -22,6 +22,7 @@ import (
"io"
"io/ioutil"
"net/http"
"path"
"github.com/gorilla/mux"
"github.com/minio/minio/cmd/logger"
@ -358,7 +359,7 @@ func (a adminAPIHandlers) AddUser(w http.ResponseWriter, r *http.Request) {
defer logger.AuditLog(w, r, "AddUser", mustGetClaimsFromToken(r))
vars := mux.Vars(r)
accessKey := vars["accessKey"]
accessKey := path.Clean(vars["accessKey"])
// Get current object layer instance.
objectAPI := newObjectLayerFn()

@ -18,6 +18,7 @@ package cmd
import (
"context"
"crypto/subtle"
"encoding/json"
"encoding/xml"
"errors"
@ -1005,7 +1006,7 @@ func (web *webAPIHandlers) SetAuth(r *http.Request, args *SetAuthArgs, reply *Se
}
// Throw error when wrong secret key is provided
if prevCred.SecretKey != args.CurrentSecretKey {
if subtle.ConstantTimeCompare([]byte(prevCred.SecretKey), []byte(args.CurrentSecretKey)) != 1 {
return errIncorrectCreds
}

Loading…
Cancel
Save