From 541cdd726776bc284e7903f8e4bdf1d9777024aa Mon Sep 17 00:00:00 2001
From: Percy Wegmann <percy@tailscale.com>
Date: Thu, 2 May 2024 06:35:10 -0500
Subject: [PATCH] drive: use secret token to authenticate access to file server
 on localhost

This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>
---
 drive/driveimpl/fileserver.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drive/driveimpl/fileserver.go b/drive/driveimpl/fileserver.go
index f3c77eb54..b17e0b643 100644
--- a/drive/driveimpl/fileserver.go
+++ b/drive/driveimpl/fileserver.go
@@ -138,7 +138,7 @@ func (s *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	token := parts[0]
 	a, b := []byte(token), []byte(s.secretToken)
-	if len(a) != len(b) || subtle.ConstantTimeCompare(a, b) != 1 {
+	if subtle.ConstantTimeCompare(a, b) != 1 {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}