archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

drive: use secret token to authenticate access to file server on localhost

Browse Source 
This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>
pull/11956/head
Percy Wegmann 6 months ago
parent d32e85894d
commit a7272b7e75
No known key found for this signature in database
GPG Key ID: 29D8CDEB4C13D48B
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File

4
drive/driveimpl/fileserver.go
Unescape Escape View File

@ -5,6 +5,7 @@ package driveimpl
import ( import (
"crypto/rand" "crypto/rand"
"crypto/subtle"
"encoding/hex" "encoding/hex"
"fmt" "fmt"
"net" "net"
@ -117,7 +118,8 @@ func (s *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
parts := shared.CleanAndSplit(r.URL.Path) parts := shared.CleanAndSplit(r.URL.Path)
token := parts[0] token := parts[0]
if token != s.secretToken { a, b := []byte(token), []byte(s.secretToken)
if len(a) != len(b) || subtle.ConstantTimeCompare(a, b) != 1 {
w.WriteHeader(http.StatusForbidden) w.WriteHeader(http.StatusForbidden)
return return
} }

Write Preview
Loading…
Cancel
Save