haskell/yesod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Slightly improve comment about constant time comparison

Browse Source
This commit is contained in:
Maximilian Tagher 2015-08-16 20:50:29 -04:00
parent 0fdb78a6f2
commit 949fa2d426
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
yesod-form/Yesod/Form/Functions.hs
View File

@ -228,9 +228,10 @@ postHelper form env = do
| not (Map.lookup tokenKey params === reqToken req) -> | not (Map.lookup tokenKey params === reqToken req) ->
FormFailure [renderMessage m langs MsgCsrfWarning] FormFailure [renderMessage m langs MsgCsrfWarning]
_ -> res _ -> res
-- It's important to use constant-time comparison (constEqBytes) in order to avoid timing attacks.
where (Just [t1]) === (Just t2) = TE.encodeUtf8 t1 `constEqBytes` TE.encodeUtf8 t2 where (Just [t1]) === (Just t2) = TE.encodeUtf8 t1 `constEqBytes` TE.encodeUtf8 t2
Nothing === Nothing = True -- It's important to use constTimeEq Nothing === Nothing = True
_ === _ = False -- in order to avoid timing attacks. _ === _ = False
return ((res', xml), enctype) return ((res', xml), enctype)
-- | Similar to 'runFormPost', except it always ignores the currently available -- | Similar to 'runFormPost', except it always ignores the currently available