mirrors
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

drive: use secret token to authenticate access to file server on localhost 

This prevents Mark-of-the-Web bypass attacks in case someone visits the
localhost WebDAV server directly.

Fixes tailscale/corp#19592

Signed-off-by: Percy Wegmann <percy@tailscale.com>
This commit is contained in:
Percy Wegmann 2024-05-02 06:35:10 -05:00
parent b839a1bb6c
commit 541cdd7267
No known key found for this signature in database
GPG Key ID: 29D8CDEB4C13D48B
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drive/driveimpl/fileserver.go
View File

@ -138,7 +138,7 @@ func (s *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
token := parts[0]
a, b := []byte(token), []byte(s.secretToken)
if len(a) != len(b) || subtle.ConstantTimeCompare(a, b) != 1 {
if subtle.ConstantTimeCompare(a, b) != 1 {
w.WriteHeader(http.StatusForbidden)
return
}