evie/caddy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
caddy/modules/caddyhttp/caddyauth
History
Matthew Holt 937ec34201
caddyauth: Prevent user enumeration by timing 
Always follow the code path of hashing and comparing a plaintext
password even if the account is not found by the given username; this
ensures that similar CPU cycles are spent for both valid and invalid
usernames.

Thanks to @tylerlm for helping and looking into this!
2020-10-31 10:51:05 -06:00
..
basicauth.go caddyauth: Prevent user enumeration by timing 2020-10-31 10:51:05 -06:00
caddyauth.go httpcaddyfile: Don't lowercase placeholder contents (fixes #3264) 2020-04-14 16:11:46 -06:00
caddyfile.go caddyhttp: Add client cert SAN placeholders 2020-06-11 16:19:07 -06:00
command.go caddyauth: Prevent user enumeration by timing 2020-10-31 10:51:05 -06:00
hashes.go caddyauth: Prevent user enumeration by timing 2020-10-31 10:51:05 -06:00