drive: use secret token to authenticate access to file server on localhost

This prevents Mark-of-the-Web bypass attacks in case someone visits the localhost WebDAV server directly. Fixes tailscale/corp#19592 Signed-off-by: Percy Wegmann <percy@tailscale.com>
6 months ago · 0c11fd978b
parent 9d22ec0ba2
commit 0c11fd978b
1 changed files with 3 additions and 1 deletions
--- a/drive/driveimpl/fileserver.go
+++ b/drive/driveimpl/fileserver.go
@ -5,6 +5,7 @@ package driveimpl

 import (
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"net"
@ -117,7 +118,8 @@ func (s *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	parts := shared.CleanAndSplit(r.URL.Path)

 	token := parts[0]
-	if token != s.secretToken {
+	a, b := []byte(token), []byte(s.secretToken)
+	if len(a) != len(b) || subtle.ConstantTimeCompare(a, b) != 1 {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}