Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

basic auth: fix timing oracle #2609

Merged
merged 2 commits into from
Jan 13, 2021
Merged

basic auth: fix timing oracle #2609

merged 2 commits into from
Jan 13, 2021

Conversation

Snawoot
Copy link
Contributor

@Snawoot Snawoot commented Jan 12, 2021

Fix #2226

I've read discussion in #2226, but there are few reasons to consider on behalf of merge of this PR:

  • It's pretty easy to fix it
  • Even if Basic Auth should not be considered as a secure auth method, it will be often misused in the wild. It'll be hard to make people using basic auth middleware always make informed decision.
  • There are cases like server to server integration via HTTPS where basic auth is just good enough.

@codecov
Copy link

codecov bot commented Jan 12, 2021

Codecov Report

Merging #2609 (705955b) into master (46ddd42) will not change coverage.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #2609   +/-   ##
=======================================
  Coverage   98.64%   98.64%           
=======================================
  Files          41       41           
  Lines        1989     1989           
=======================================
  Hits         1962     1962           
  Misses         15       15           
  Partials       12       12           
Impacted Files Coverage Δ
auth.go 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 46ddd42...705955b. Read the comment docs.

@thinkerou thinkerou added this to the 1.7 milestone Jan 13, 2021
Copy link
Member

@thinkerou thinkerou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@thinkerou thinkerou merged commit b01605b into gin-gonic:master Jan 13, 2021
@Snawoot Snawoot deleted the fix_basic_auth_timing_oracle branch January 13, 2021 01:49
RK-GCP added a commit to RK-GCP/gin that referenced this pull request Mar 18, 2021
* Revert "Adding ppc64le architecture support on travis-ci (gin-gonic#2538)" (gin-gonic#2602)

* test: fixed the TestUnixSocket test on windows (gin-gonic#2595)

Co-authored-by: thinkerou <[email protected]>

* gin mode unknown: show available mode (gin-gonic#2567)

Co-authored-by: thinkerou <[email protected]>

* fix error gin support min Go version (gin-gonic#2584)

Co-authored-by: thinkerou <[email protected]>

* Fixes to the graceful shutdown example (gin-gonic#2552)

* Change error comparison to use errors.Is() and add a line of whitespace before the if statement on graceful shutdown

* Change from log.Fatalf to log.Printf to ensure the graceful shutdown actually works

Co-authored-by: J. J. Bigorra <[email protected]>
Co-authored-by: thinkerou <[email protected]>

* basic auth: fix timing oracle (gin-gonic#2609)

Co-authored-by: thinkerou <[email protected]>

* chore: Deleted spaces (gin-gonic#2622)

* Remove the tedious named return value (gin-gonic#2620)

Co-authored-by: thinkerou <[email protected]>

Co-authored-by: thinkerou <[email protected]>
Co-authored-by: Jeff <[email protected]>
Co-authored-by: Rubi <[email protected]>
Co-authored-by: Qt <[email protected]>
Co-authored-by: Josep Jesus Bigorra Algaba <[email protected]>
Co-authored-by: J. J. Bigorra <[email protected]>
Co-authored-by: Snawoot <[email protected]>
Co-authored-by: Alexander Melentyev <[email protected]>
Co-authored-by: Andy Pan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

gin.BasicAuth susceptible to Timing Oracle Attack
2 participants